On Tue, 2005-02-01 at 23:44, Guillaume L�croart wrote: > Hi, > > I'm setting up a single Debian host as a firewall + IPSec gateway for a > small company. I'm using a sarge + security updates distro. For standard > traffic (no IPSec yet), iptables suits quite well. However, troubles > come with IPSec.
> First, I needed to set-up a road-warrior profile with NAT-T. I finally > discovered I had to fall back to 2.4 kernel due to ESPINUDP broken in > 2.6 then use the OpenSwan package instead of FreeSwan because of the > "udp_encap_rcv(): Unhandled UDP encap type: " message (still exists with > OpenSwan, but NAT-T works...) > > This finally working, I need to allow IPSec telecomuters to access the > internal network. > > The problem here is how to identify the IPSec traffic. I implemented > this long ago, where IPSec traffic would come out of a "ipsecxxx" > interface, which was really easy for adding a '-i ipsecxxx' iptable rule. > In the newer implementation of FreeSWan/OpenSWan, this behaviour has > changed, since the IPSec traffic is still reported as coming form the > physiscal interface. I found out that I could use the "policy matching" > netfilter module, but this is not included in 2.4.27-2 (and possibly > not in 2.6.10, since I couldn't find any ipt_policy.ko in > /lib/modules/2.6.10-1-686). > > Is there another way of matching the IPSec traffic? > Have I no other solution than building a custom kernel? > Matching ipsec traffic is easily done. Simply use the -j MARK target to tag esp packets and then use that mark in filtering rules eg: <snip> # allow ike $IPT -A INPUT -i $EXT_IF -d $EXT_IP -p udp --dport 500 -j ACCEPT # allow esp $IPT -A INPUT -i $EXT_IF -d $EXT_IP -p esp -j ACCEPT # tag esp packets $IPT -A INPUT -i $EXT_IF -d $EXT_IP -p esp -j MARK --set-mark 1 # forward marked packets selectively $IPT -A FORWARD -i $EXT_IF -o $INT_IF -d $INT_NET -m mark --mark 1 <other filtering options> -j ACCEPT </snip> etc..etc PS have you had a look at isakmpd + std kernel-2.6 image? works nicely, no rolling customs involved, talks to native xp clients etc :) Hope this helps regards charlie -- ============================ Charles Kidson Systems Administrator General Pants Group [EMAIL PROTECTED] ph 02 9290 0813 fx 02 9299 6485 mb 0428 61 7766 ============================ Notice: This email and any attachments are confidential and may contain copyright material of General Pants Co. Pty Ltd., Jetty Surf Pty Ltd. or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this email or any attachments, and should destroy all copies of them. General Pants Co. Pty Ltd. and Jetty Surf Pty Ltd. does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of General Pants Co. Pty Ltd. and Jetty Surf Pty Ltd.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
