Subject: Re: [Design] Re: dhclient and IPsec
To: None <sommerfeld@orchard.arlington.ma.us>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 07/07/2002 13:48:19
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us> writes:
Bill> The difference vs your environmen is that the dhcp server and tunnel
Bill> endpoint are on different systems (dhcp server is run by whichever
Bill> network we're visiting; tunnel server is remote and run by us). So,
Bill> rather than trying to convince the nets we visit to turn on ipsec on
Bill> their dhcp server, we create a bypass policy entry on the client --
Bill> the dhcp traffic necessary to keep us up on the local LAN is sent in
Bill> the clear. (this also avoids chicken-and-egg issues since you need an
Bill> ip address to negotiate an SA using the key management protocol of
Bill> your choice).
In the end, we did exactly that.
On the wavesec server (Linux FreeSWAN, see www.wavesec.org) we did:
#!/bin/sh
iptables -A PREROUTING -t mangle -p udp -s 0.0.0.0/0 -d 192.139.46.64/29 --sport 53 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p udp -s 0.0.0.0/0 -d 192.139.46.64/29 --sport 67:68 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p icmp -s 0.0.0.0/0 -d 192.139.46.64/29 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -s 0.0.0.0/0 -d 192.139.46.64/29 --sport 67:68 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -s 0.0.0.0/0 -d 192.139.46.64/29 --sport 53 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p icmp -s 0.0.0.0/0 -d 192.139.46.64/29 -j MARK --set-mark 1
ip rule add fwmark 1 table dhcpd
ip route add 192.139.46.64/29 dev wlan0 table dhcpd
Linux FreeSWAN clients need to add firewall rules to enforce that packets
that should come via the SPD, do come that way. By default no such rules
exist (we will fix that soon).
On the BSD clients, we had to add the following SPD entries to permit the
DNS, ICMP and DHCP packets in:
spdadd $inner/32[68] $ciphergate/32[67] any -P out none;
spdadd $inner/32 0.0.0.0/0 any -P out ipsec esp/tunnel/${myip}-${ciphergate}/require;
spdadd 0.0.0.0/0[53] ${myip}/32 any -P in none;
spdadd 0.0.0.0/0 $inner/32 any -P in ipsec esp/tunnel/${ciphergate}-${myip}/require;
The return DHCP packets are sniffed off the wire, so we didn't need any
rule for that, although it could have been added. We didn't care how the DNS
packets went *out*, but to assure that Wavesec clients that needed DNS to get
RSA keys could get them even after a reboot, we had forced DNS to be in the
clear for all clients. KAME would silently drop the packets without rule #3.
(Is there someway to get it to log them?)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPSh+3IqHRg3pndX9AQFAvgQA7WnTha51nR7DRQjx8xtyEGUBfbmHjmqB
DpL0URU8cYli6WNm0wtZObUPAvvImJeRUWbPUYUsgyTE8AxvdqMPz22t2VtnlKkl
xjuS1gbIR7L9NNA09kqqlz89Q5PaQXWDA0pmuFeQolms+QfC1XNjtdHOSo8Wm7Z4
xtJ/YLZVYZQ=
=yZj9
-----END PGP SIGNATURE-----