ipfilter + ipsec tunnel

ipfilter + ipsec tunnel

Post by Michael W. Olive » Sat, 29 Sep 2001 00:10:15



Folks,

I have searched exhaustively, and I cannot find an answer to my question.
The questions is:

When using ipfilter on FreeBSD as a firewall, can a client on the private
LAN network establish an IPSec tunnel (with or without AH) to a tunnel
endpoint on the Internet.  If yes, then how would ipfilter be configured for
such?  And, does ipfilter handle IPSec tunnels in 'tunnel mode' or 'passive
mode'?

--
Thanks in advance to all who reply! (Please cc me at

Michael Oliver

 
 
 

ipfilter + ipsec tunnel

Post by Marcel Po » Wed, 03 Oct 2001 15:53:07



Quote:> When using ipfilter on FreeBSD as a firewall, can a client on the
> private LAN network establish an IPSec tunnel (with or without AH) to a
> tunnel endpoint on the Internet.  If yes, then how would ipfilter be
> configured for such?  And, does ipfilter handle IPSec tunnels in 'tunnel
> mode' or 'passive mode'?

You cannot use AH over a nat connection.
AH adds a key to the source adress in the ip-header.
The nat-table replaces the source adress in the ipheader, and therefore
the key also. Which makes it that the other end cannot decrypt the packet
anymore.
So you can only use ESP.

IPSec with esp uses udp port 500, and protocol 50.
My /etc/protocols (under linux) reads:
esp 50 ESP

That's about all i know, since i'm in the process of setting it up
myself.
You can read up on the vpn howto at www.linuxdoc.org and check the links
in those. It has links to a IPSec faq and so. Very informing.

--
Marcel Pol


 
 
 

1. ipfilter + ipsec tunnel

Folks,

I have searched exhaustively, and I cannot find an answer to my question.
The questions is:

When using ipfilter on FreeBSD as a firewall, can a client on the private
LAN network establish an IPSec tunnel (with or without AH) to a tunnel
endpoint on the Internet.  If yes, then how would ipfilter be configured for
such?  And, does ipfilter handle IPSec tunnels in 'tunnel mode' or 'passive
mode'?

Thanks in advance to all who reply! (Please cc me at

--
Michael Oliver

2. Remote tape via NFS possible?

3. IPSEC Howto i can buil IPSec tunnel...

4. ACE, Sol 2 and gcc: shared lib problem

5. ipsec vpn and ipfilter

6. Need for help on remote printing via dial-up terminal access

7. Does IPFilter work for Solaris 9 IPv6 6to4 tunnels?

8. HELP! - PC FTP Problems

9. VPN Tunnels and IPSec

10. openswan ipsec tunnel dies...

11. IPSec tunnel over Gbit fibre.

12. Cisco Linux Windows IPSec tunnel

13. Is IPsec right for a NetBIOS tunnel?