Re: [OT] Connection tracking for IPSec

[Andrew McGregor]

--On Wednesday, August 20, 2003 01:22:49 PM +0200 Felipe Alfaro Solana 
<felipe_alfaro@xxxxxxxxxxxxx> wrote:

> Hi all!
>
> I'm starting with IPSec right now. To make it work, I must open up
> protocols 50 and 51 to pass across my Linux firewalls, but I want to use
> connection tracking much like I do when not using IPSec.
>
> For example,
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED

Hmm.  You can't do this if the end host does the ESP (AH is another 
matter).  Ever.  If the ESP is working, the router can't tell what is 
inside the packet; this is the whole point of IPSEC.  If you want this 
functionality, you can only provide it on the end host, or else do the 
IPSEC on the router.

> When using IPSec, if I open up protocols 50 and 51, all IPSec-protected
> traffic passes through the firewall, but it's not checked against the
> connection tracking module. How can I configure iptables so an
> IPSec-protected packet, after being classified as IP protocol 50 or 51,
> loop back one more time to pass through the connection tracking module?

You can't, by design of IPSEC.  However, you do have a couple of options:

1) let through IPSEC only for hosts you trust
2) for hosts you must firewall at the router, do the IPSEC there too, and 
do not allow those hosts to use IPSEC.

These aren't exclusive.

> I don't want to set up IPSec to get addititional protection by using AH
> and ESP and then let any machine talking IPSec pass entirely through my
> firewall ignoring the rest of rules.
>
> Thanks!

You're welcome.

Andrew



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/