[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Firewall + IPSec gateway...


I'm setting up a single Debian host as a firewall + IPSec gateway for a small company. I'm using a sarge + security updates distro. For standard traffic (no IPSec yet), iptables suits quite well. However, troubles come with IPSec.

First, I needed to set-up a road-warrior profile with NAT-T. I finally discovered I had to fall back to 2.4 kernel due to ESPINUDP broken in 2.6 then use the OpenSwan package instead of FreeSwan because of the "udp_encap_rcv(): Unhandled UDP encap type: " message (still exists with OpenSwan, but NAT-T works...)

This finally working, I need to allow IPSec telecomuters to access the internal network.

The problem here is how to identify the IPSec traffic. I implemented this long ago, where IPSec traffic would come out of a "ipsecxxx" interface, which was really easy for adding a '-i ipsecxxx' iptable rule. In the newer implementation of FreeSWan/OpenSWan, this behaviour has changed, since the IPSec traffic is still reported as coming form the physiscal interface. I found out that I could use the "policy matching" netfilter module, but this is not included in 2.4.27-2 (and possibly not in 2.6.10, since I couldn't find any ipt_policy.ko in /lib/modules/2.6.10-1-686).

Is there another way of matching the IPSec traffic?
Have I no other solution than building a custom kernel?

Thanks a lot


Reply to: