Hi,
I'm setting up a single Debian host as a firewall + IPSec gateway for a small company. I'm using a sarge + security updates distro. For standard traffic (no IPSec yet), iptables suits quite well. However, troubles come with IPSec.
First, I needed to set-up a road-warrior profile with NAT-T. I finally discovered I had to fall back to 2.4 kernel due to ESPINUDP broken in 2.6 then use the OpenSwan package instead of FreeSwan because of the "udp_encap_rcv(): Unhandled UDP encap type: " message (still exists with OpenSwan, but NAT-T works...)
This finally working, I need to allow IPSec telecomuters to access the internal network.
The problem here is how to identify the IPSec traffic. I implemented this long ago, where IPSec traffic would come out of a "ipsecxxx" interface, which was really easy for adding a '-i ipsecxxx' iptable rule.
In the newer implementation of FreeSWan/OpenSWan, this behaviour has changed, since the IPSec traffic is still reported as coming form the physiscal interface. I found out that I could use the "policy matching" netfilter module, but this is not included in 2.4.27-2 (and possibly not in 2.6.10, since I couldn't find any ipt_policy.ko in /lib/modules/2.6.10-1-686).
Is there another way of matching the IPSec traffic? Have I no other solution than building a custom kernel?
Thanks a lot
Guillaume
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
