'Re: [leaf-devel] FreeS/WAN news'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       leaf-devel
Subject:    Re: [leaf-devel] FreeS/WAN news
From:       Tom Eastep <teastep () shorewall ! net>
Date:       2004-03-02 19:12:56
Message-ID: 200403021112.56541.teastep () shorewall ! net
[Download RAW message or body]

On Tuesday 02 March 2004 07:56 am, Erich Titl wrote:
> Tom
>
> thanks for the details.
>
> At 07:41 02.03.2004 -0800, Tom Eastep wrote:
> >On Tuesday 02 March 2004 02:31 am, Erich Titl wrote:
> >
> >...
> >The 2.6 native implementation does away with the 'ipsecN' devices. So all
> >VPN/tunnel types *except* IPSEC use a separate device for tunneling; once
> > the changes to netfilter to *really* support this implementation are in
> > place, IPSEC will pass each tunneled packet through the tables twice --
> > once for the unencrypted copy of the packet and once for the encrypted
> > packet.
>
> Arghhhh....
>

That actually happens today with the classic IPSEC implementation. The 
difference today is that unencrypted packets are never associated with the 
real interface to the remote gateway -- they are only associated with the 
'ipsecN' device.

Unencrypted stream:

	local system<---><firewall internal if><--->ipsec0

The encrypted stream goes:

	firewall<-------><firewall external if><---><remote gateway>

It is the encrypted part that gets defined in /etc/shorewall/tunnels.

In the new model, the unencrypted stream is:

	local system<---><firewall internal if><---><firewall external if>

The encrypted stream remains the same as above.

This makes it impossible to associate the remote network with ipsec0 in 
/etc/shorewall/interfaces or /etc/shorewall/hosts. You rather must associate 
it with the real interface to the remote gateway :-( Unless Shorewall were to 
resort to packet marking or some other scheme (which would break things like 
traffic control), there is no way for Shorewall to ensure that only encrypted 
traffic is sent to the remote network.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic