[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: [Ipsec-tools-devel] help with ipsec routing
From: "Jigar SOLANKI" <sol4nki () gmail ! com>
Date: 2008-12-03 16:28:12
Message-ID: 52bc9f190812030828t3c1d0b40v51486590288c084b () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Let's start by the beginning :
Here's basically the way an IPSec negociation works. (hope someone will fix
if im wrong ;) )
[Network_A] <----> Gate_A <====Internet/unsafe_network=========> Gate_B
<------>[Network_B]
Well, in this simple configuration, you allow network_a to communicate with
network_b using an IPSec tunnel between Gate_A and Gate_B, it means that :
- Everything betweek gate_a and gate_b is encrypted using the configuration
you provided.
- Only network_a and network_b are allowed to take the IPSec tunnel. All
over packets go out in clear.
192.168.1.0 /24 ---|
|------1.2.3.4 <===============> 2.3.4.5------
10.2.3.0/16
192.168.2.0/24 --- |
You want an IPSec set up between 1.2.3.4 and 2.3.4.5 (tunnel endpoints) to
secure the communications between 192.168.1.0/24 and 10.2.3.0/16 (trafic
endpoints). 192.168.2.0/24 wont be abble to contact 10.2.3.0/16. How ?
When an outgoing/incomming packets arrives on your gate, it looks at the
source/destination adress and checks if there is an IPSec configuration that
matches this packet. If there is one, the packet is encrypted/decrypted
(after negociation ), if there isnt, the packets goes out in clear (outgoing
packet) or dropped (incoming packet).
Config files look like this :
On Gate_A : (on gate_b, it's the symetric)
racoon.conf :
remote 2.3.4.5
{
....
}
sainfo adress 192.168.1.0/24 any adress 10.2.3.0/16
{
...
}
setkey :
flush;
spdflush;
spdadd 192.168.1.0/24 any 10.2.3.0/16 any -P out ipsec
esp/tunnel/1.2.3.4-2.3.4.5/require ;
spdadd 10.2.3.0/16 any 192.168.1.0/24 any -P in ipsec
esp/tunnel/2.3.4.5-1.2.3.4/require ;
=============================================================================================
=============================================================================================
Back to your case :
What do you exactly your client want to do ? What is the network
configuration on both sides ? What trafic exactly (networks) your want to be
encrypted between your client and you?
Your email problem (and the others) comes from your last spdrule which
routes every packets coming from the mail server in the tunnel, whereas
there's no reason to do that. All packets coming from/going to the mail
server should not match (according to your configuration) any IPSec policy.
your_client_network <----> your_client_gate <========> your_gate ------
the_network_you_want_your_client_to_be_abble_to_contact_inside_your_network
Some links that might help :
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
http://technet.microsoft.com/en-us/library/cc784471.aspx
http://www.kame.net/newsletter/20001119/
Hope this helps, ;)
---
SOLANKI Jigar
ATHEOS - L'Esprit D'Architecte -
---
[Attachment #5 (text/html)]
Hi,<br><br>Let's start by the beginning : <br><br>Here's basically the way an \
IPSec negociation works. (hope someone will fix if im wrong ;) \
)<br><br>[Network_A] <----> Gate_A <====Internet/unsafe_network=========> \
Gate_B <------>[Network_B]<br> <br>Well, in this simple configuration, you \
allow network_a to communicate with network_b using an IPSec tunnel between Gate_A \
and Gate_B, it means that :<br>- Everything betweek gate_a and gate_b is encrypted \
using the configuration you provided.<br>
- Only network_a and network_b are allowed to take the IPSec tunnel. All over packets \
go out in clear.<br><br><br><a href="http://192.168.1.0">192.168.1.0</a> /24 \
---|<br> \
\
|------<a href="http://1.2.3.4">1.2.3.4</a> <===============> <a \
href="http://2.3.4.5">2.3.4.5</a> ------ <a \
href="http://10.2.3.0/16">10.2.3.0/16</a><br> <a \
href="http://192.168.2.0/24">192.168.2.0/24</a> --- | <br><br><br>You want an IPSec \
set up between <a href="http://1.2.3.4">1.2.3.4</a> and <a \
href="http://2.3.4.5">2.3.4.5</a> (tunnel endpoints) to secure the communications \
between <a href="http://192.168.1.0/24">192.168.1.0/24</a> and <a \
href="http://10.2.3.0/16">10.2.3.0/16</a> (trafic endpoints). <a \
href="http://192.168.2.0/24">192.168.2.0/24</a> wont be abble to contact <a \
href="http://10.2.3.0/16">10.2.3.0/16</a>. How ?<br> <br>When an outgoing/incomming \
packets arrives on your gate, it looks at the source/destination adress and checks if \
there is an IPSec configuration that matches this packet. If there is one, the packet \
is encrypted/decrypted (after negociation ), if there isnt, the packets goes out in \
clear (outgoing packet) or dropped (incoming packet).<br> <br>Config files look like \
this :<br><br>On Gate_A : (on gate_b, it's the symetric)<br><br>racoon.conf \
:<br><br>remote <a href="http://2.3.4.5">2.3.4.5</a><br>{<br> \
....<br>}<br><br>sainfo adress <a href="http://192.168.1.0/24">192.168.1.0/24</a> any \
adress <a href="http://10.2.3.0/16">10.2.3.0/16</a><br> \
{<br> ...<br>}<br><br>setkey :<br><br>flush;<br>spdflush;<br><br>spdadd <a \
href="http://192.168.1.0/24">192.168.1.0/24</a> any <a \
href="http://10.2.3.0/16">10.2.3.0/16</a> any -P out ipsec<br> \
esp/tunnel/1.2.3.4-2.3.4.5/require ;<br> <br>spdadd <a \
href="http://10.2.3.0/16">10.2.3.0/16</a> any <a \
href="http://192.168.1.0/24">192.168.1.0/24</a> any -P in ipsec \
<br> esp/tunnel/2.3.4.5-1.2.3.4/require \
;<br><br>=============================================================================================<br>
=============================================================================================<br><br><br>Back \
to your case :<br><br>What do you exactly your client want to do ? What is the \
network configuration on both sides ? What trafic exactly (networks) your want to be \
encrypted between your client and you?<br> <br>Your email problem (and the others) \
comes from your last spdrule which routes every packets coming from the mail server \
in the tunnel, whereas there's no reason to do that. All packets coming \
from/going to the mail server should not match (according to your configuration) any \
IPSec policy.<br> <br>your_client_network <----> your_client_gate \
<========> your_gate ------ \
the_network_you_want_your_client_to_be_abble_to_contact_inside_your_network<br><br><br>Some \
links that might help :<br><br><a \
href="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html">http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html</a><br>
<a href="http://technet.microsoft.com/en-us/library/cc784471.aspx">http://technet.microsoft.com/en-us/library/cc784471.aspx</a><br><a \
href="http://www.kame.net/newsletter/20001119/">http://www.kame.net/newsletter/20001119/</a><br>
<br><br><br>Hope this helps, ;)<br><br><br>---<br>SOLANKI Jigar<br>ATHEOS - \
L'Esprit D'Architecte -<br>---<br><br>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic