Re: Debian Firewall + IPSec gateway...

To: Guillaume Lécroart <guillaume.lecroart@free.fr>
Cc: debian-firewall@lists.debian.org
Subject: Re: Debian Firewall + IPSec gateway...
From: charlie <charlesk@generalpants.com.au>
Date: Wed, 02 Feb 2005 08:13:25 +1100
Message-id: <[🔎] 1107292405.882.342.camel@charlie.generalpants.com.au>
In-reply-to: <[🔎] 41FF79B4.7030000@free.fr>
References: <[🔎] 41FF79B4.7030000@free.fr>

On Tue, 2005-02-01 at 23:44, Guillaume Lécroart wrote:
> Hi,
> 
> I'm setting up a single Debian host as a firewall + IPSec gateway for a 
> small company. I'm using a sarge + security updates distro. For standard 
> traffic (no IPSec yet), iptables suits quite well. However, troubles 
> come with IPSec.

> First, I needed to set-up a road-warrior profile with NAT-T. I finally 
> discovered I had to fall back to 2.4 kernel due to  ESPINUDP broken in 
> 2.6 then use the OpenSwan package instead of FreeSwan because of the 
> "udp_encap_rcv(): Unhandled UDP encap type: " message (still exists with 
> OpenSwan, but NAT-T works...)
> 
> This finally working, I need to allow IPSec telecomuters to access the 
> internal network.
> 
> The problem here is how to identify the IPSec traffic. I implemented 
> this long ago, where IPSec traffic would come out of a "ipsecxxx" 
> interface, which was really easy for adding a '-i ipsecxxx' iptable rule.
> In the newer implementation of FreeSWan/OpenSWan, this behaviour has 
> changed, since the IPSec traffic is still reported as coming form the 
> physiscal interface. I found out that I could use the "policy matching" 
> netfilter  module, but this  is not included in 2.4.27-2 (and possibly 
> not in 2.6.10, since I couldn't find any ipt_policy.ko in 
> /lib/modules/2.6.10-1-686).
> 
> Is there another way of matching the IPSec traffic?
> Have I no other solution than building a custom kernel?
> 

Matching ipsec traffic is easily done. Simply use the -j MARK target to
tag esp packets and then use that mark in filtering rules eg:

<snip>
# allow ike
$IPT -A INPUT -i $EXT_IF -d $EXT_IP -p udp --dport 500 -j ACCEPT
# allow esp
$IPT -A INPUT -i $EXT_IF -d $EXT_IP -p esp -j ACCEPT
# tag esp packets
$IPT -A INPUT -i $EXT_IF -d $EXT_IP -p esp -j MARK --set-mark 1
# forward marked packets selectively
$IPT -A FORWARD -i $EXT_IF -o $INT_IF -d $INT_NET -m mark --mark 1
<other filtering options> -j ACCEPT
</snip>

etc..etc

PS have you had a look at isakmpd + std kernel-2.6 image? works nicely,
no rolling customs involved, talks to native xp clients etc
:)
Hope this helps

regards

charlie

-- 
============================
Charles Kidson
Systems Administrator
General Pants Group
charlesk@generalpants.com.au
ph 02 9290 0813
fx 02 9299 6485
mb 0428 61 7766
============================

Notice: This email and any attachments are confidential and may contain
copyright material of General Pants Co. Pty Ltd., Jetty Surf Pty Ltd. or
third parties. If you are not the intended recipient of this email you
should not read, print, re-transmit, store or act in reliance on this email
or any attachments, and should destroy all copies of them. General Pants Co.
Pty Ltd. and Jetty Surf Pty Ltd. does not guarantee the integrity of any
emails or any attached files. The views or opinions expressed are the
author's own and may not reflect the views or opinions of General Pants Co.
Pty Ltd. and Jetty Surf Pty Ltd..

Reply to:

References:
- Debian Firewall + IPSec gateway...
  - From: Guillaume Lécroart <guillaume.lecroart@free.fr>

Prev by Date: Modération de votre message
Next by Date: Re: Re: no ipchains with 2.2/no network with 2.4
Previous by thread: Re: Debian Firewall + IPSec gateway...
Next by thread: Modération de votre message
Index(es):
- Date
- Thread