Debian Firewall + IPSec gateway...
Hi,
I'm setting up a single Debian host as a firewall + IPSec gateway for a
small company. I'm using a sarge + security updates distro. For standard
traffic (no IPSec yet), iptables suits quite well. However, troubles
come with IPSec.
First, I needed to set-up a road-warrior profile with NAT-T. I finally
discovered I had to fall back to 2.4 kernel due to ESPINUDP broken in
2.6 then use the OpenSwan package instead of FreeSwan because of the
"udp_encap_rcv(): Unhandled UDP encap type: " message (still exists with
OpenSwan, but NAT-T works...)
This finally working, I need to allow IPSec telecomuters to access the
internal network.
The problem here is how to identify the IPSec traffic. I implemented
this long ago, where IPSec traffic would come out of a "ipsecxxx"
interface, which was really easy for adding a '-i ipsecxxx' iptable rule.
In the newer implementation of FreeSWan/OpenSWan, this behaviour has
changed, since the IPSec traffic is still reported as coming form the
physiscal interface. I found out that I could use the "policy matching"
netfilter module, but this is not included in 2.4.27-2 (and possibly
not in 2.6.10, since I couldn't find any ipt_policy.ko in
/lib/modules/2.6.10-1-686).
Is there another way of matching the IPSec traffic?
Have I no other solution than building a custom kernel?
Thanks a lot
Guillaume
Reply to: