[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access

cmisip cmisip at insightbb.com
Fri Aug 1 21:24:42 PDT 2003

On Fri, 2003-08-01 at 17:44, Joshua Banks wrote:
> My experience with (Host to Host)Ipsec in general
> tells me that any traffic not destined for that
> specific host specified in the ipsec routing/tunneling
> policy will be dropped at the fireall before being
> encrypted because it doesn't match the ipsec
> routing/tunneling policy.

I have host to host between a client machine and a firewall/router
(shorewall with ip masq).  The client machine is a laptop with 802.11b. 
My intent was to encrypt all wireless communications from the laptop to
any machine in the lan ,encrypting even packets destined for the
internet ( so they are encrypted from laptop to linuxrouter and
plaintext from linuxrouter to the internet)   

laptop <--802.11b--->linuxrouter---->cablemodem
 vpn   <--tunnel----> vpn   
nofirewall          shorewall

However, the packets destined for the internet, seem to die at the
linuxrouter.  I think they make it there because I can ping the router
and tcpdump shows ESP on ping and reply.

> Are the firewalls the termination points(where the
> encryption and decryption happens? Or are the actual
> hosts/vpn clients the ones doing the encyption and
> decryption locally?

the laptop is a termination point, the linuxrouter is a termination
> If the actuall firewalls(ipsec termination points) are
> doing the encyption and decryption of the ipsec
> packets and then handing those packets off to the
> specific host after being decrypted,
I thought encryption will only happen if source and destination of
packets are the termination points of the ipsec tunnel.  I am using
Frees/wan.  If there is a firewall between the vpn termination points,
it just needs to allow the ipsec packets and have the termination points
do the encryption and decryption.  Am I understanding this wrong?  

>  then only ipsec
> packets destined for that specific host will make it
> through the ipsec tunnel.  

I can ping and receive a reply when the tunnel is up and tcpdump shows
esp encryption on both ping and reply.  I have default route set to 
point to the linuxrouter also so packets destined for the internet are
routed to the linuxrouter as well.  With the tunnel down, the packets 
make it to the internet.  With the tunnel up, they dont.  

I have tried another setup as well:

laptop <--802.11b--> machineA <--wired--> dlinkrouter <--->cablemodem
 vpn <--------------->vpn                     NAT
nofirewall         shorewall 
                   (no ip masq
                   but ip forwards)

In this scenario, ping and reply between laptop and machineA show
esp encryption.  Ping and reply between laptop and dlinkrouter show no
encryption.  With the tunnel up between laptop and machineA, packets for
the internet make it to machineA (ipsec makes the default route on
laptop point to machineA) and then since machine A does ip forwarding,
the packets continue on to dlinkrouter and to the internet.  However
these packets to the internet are not encrypted.

My goal was to make the laptop to router connection secure for packets
that need to go to the internet.  Is this even possible, as it is
impossible to setup a tunnel to every possible host on the internet, I
thought that I could do this If I setup a vpn tunnel between the laptop
and the router.


> If that host has other rules and policies that allow
> it out to the internet as well as having an ipsec
> routing/tunneling policy setup and a packet not
> destined for that specific host on the other end
> should go around the tunnel without being encrypted.
> But if the only rules in place on the firewall for
> that specific host is for ipsec tunneling then again
> any packet not destined for that host on the other end
> of the ipsec tunnel should get dropped.
> My 2cents.
> JBanks
> --- Tom Eastep <teastep at shorewall.net> wrote:
> > On Fri, 2003-08-01 at 15:01, cmisip wrote:
> > > I kinda found that out , the hard way, after the
> > remote machine locked
> > > me out when I commented it out instead.  Anyway,
> > still no internet
> > > access with ipsec on.  
> > > 
> > 
> > Please keep the thread on the list.
> > 
> > Someone more familiar with IPSEC please help me out
> > here; the tunnel in
> > question is configured as host-to-host -- doesn't
> > that mean the IPSEC
> > will toss any traffic coming into or out of the
> > tunnel that has a source
> > or destination other than the firewall itself?
> > 
> > -Tom
> > -- 
> > Tom Eastep    \ Shorewall - iptables made easy
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep at shorewall.net
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users at lists.shorewall.net
> > Subscribe/Unsubscribe:
> >
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com

More information about the Shorewall-users mailing list