Subject: Re: [Design] Re: dhclient and IPsec
To: None <>
From: Michael Richardson <>
List: tech-net
Date: 07/07/2002 13:48:19

>>>>> "Bill" == Bill Sommerfeld <> writes:
    Bill> The difference vs your environmen is that the dhcp server and tunnel
    Bill> endpoint are on different systems (dhcp server is run by whichever
    Bill> network we're visiting; tunnel server is remote and run by us).  So,
    Bill> rather than trying to convince the nets we visit to turn on ipsec on
    Bill> their dhcp server, we create a bypass policy entry on the client --
    Bill> the dhcp traffic necessary to keep us up on the local LAN is sent in
    Bill> the clear.  (this also avoids chicken-and-egg issues since you need an
    Bill> ip address to negotiate an SA using the key management protocol of
    Bill> your choice).

  In the end, we did exactly that.

  On the wavesec server (Linux FreeSWAN, see we did:


iptables -A PREROUTING -t mangle -p udp -s -d --sport 53 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p udp -s -d --sport 67:68 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p icmp -s -d -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -s -d --sport 67:68 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -s -d --sport 53 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p icmp -s -d -j MARK --set-mark 1

ip rule add fwmark 1 table dhcpd 
ip route add dev wlan0 table dhcpd

  Linux FreeSWAN clients need to add firewall rules to enforce that packets
that should come via the SPD, do come that way. By default no such rules
exist (we will fix that soon).

  On the BSD clients, we had to add the following SPD entries to permit the
DNS, ICMP and DHCP packets in:

     spdadd $inner/32[68] $ciphergate/32[67] any -P out none;
     spdadd $inner/32 any -P out ipsec esp/tunnel/${myip}-${ciphergate}/require;
     spdadd[53] ${myip}/32 any -P in none;
     spdadd $inner/32 any -P in ipsec  esp/tunnel/${ciphergate}-${myip}/require;

  The return DHCP packets are sniffed off the wire, so we didn't need any
rule for that, although it could have been added. We didn't care how the DNS
packets went *out*, but to assure that Wavesec clients that needed DNS to get
RSA keys could get them even after a reboot, we had forced DNS to be in the
clear for all clients. KAME would silently drop the packets without rule #3. 
(Is there someway to get it to log them?)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys