[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Hi All, I am attempting to secure my wireless network but have hit a major snag. I am using IPSEC with x509 encryption/authentication on both ends but I am using a 2.6 kernel on my desktop machine. The 2.6 kernels have native ipsec built in where as pre 2.4 it was necessary to use a 3rd party ipsec stack. What happens is that netfilter (on the 2.6 system) sees two packets for every transmission, it sees the encrypted ESP packet and the unencrypted packet on the same eth0 interface. If i allow ESP packets in from my unsecure network they get decrypted then rejected as normal tcp/udp packets. If i also allow normal tcp/udp packets through the firewall then anybody not using ipsec can "drive by" attack my system, unless i lock it down like a public internet connection (bye bye to my nfs share!). The old 3rd party system (freeswan/KLIPS) only saw ESP packets on eth0: and then produced unencrypted packets on ipsec0: dead easy to firewall. Now is there any way to route packets through netfilter? can i take all ESP packets on eth0 place them in a different chain and some how make them reappear as a virtual interface? I have seen quite a number of other people with this problem and the only answer seems to be change your firewall settings to use the new scheme of things!, which as far as i can see breaks half the point of the encryption/authentication. Thanks for any sugesstions Robin
Attachment:
pgp00046.pgp
Description: signature