[prev in list] [next in list] [prev in thread] [next in thread]
List: leaf-devel
Subject: Re: [leaf-devel] FreeS/WAN news
From: Tom Eastep <teastep () shorewall ! net>
Date: 2004-03-02 19:12:56
Message-ID: 200403021112.56541.teastep () shorewall ! net
[Download RAW message or body]
On Tuesday 02 March 2004 07:56 am, Erich Titl wrote:
> Tom
>
> thanks for the details.
>
> At 07:41 02.03.2004 -0800, Tom Eastep wrote:
> >On Tuesday 02 March 2004 02:31 am, Erich Titl wrote:
> >
> >...
> >The 2.6 native implementation does away with the 'ipsecN' devices. So all
> >VPN/tunnel types *except* IPSEC use a separate device for tunneling; once
> > the changes to netfilter to *really* support this implementation are in
> > place, IPSEC will pass each tunneled packet through the tables twice --
> > once for the unencrypted copy of the packet and once for the encrypted
> > packet.
>
> Arghhhh....
>
That actually happens today with the classic IPSEC implementation. The
difference today is that unencrypted packets are never associated with the
real interface to the remote gateway -- they are only associated with the
'ipsecN' device.
Unencrypted stream:
local system<---><firewall internal if><--->ipsec0
The encrypted stream goes:
firewall<-------><firewall external if><---><remote gateway>
It is the encrypted part that gets defined in /etc/shorewall/tunnels.
In the new model, the unencrypted stream is:
local system<---><firewall internal if><---><firewall external if>
The encrypted stream remains the same as above.
This makes it impossible to associate the remote network with ipsec0 in
/etc/shorewall/interfaces or /etc/shorewall/hosts. You rather must associate
it with the real interface to the remote gateway :-( Unless Shorewall were to
resort to packet marking or some other scheme (which would break things like
traffic control), there is no way for Shorewall to ensure that only encrypted
traffic is sent to the remote network.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic