Dear Paul,<br><br>Sorry for late reply.<br><br>Let me explain more details about what I'm working.<br><br>We deployed a firewall system called non-standard firewall to prevent hop-by-hop attacks. This is called non-standard firewall because it includes two boxes (install Linux) which connect together using non-ip ethernet connection. The model is below:<br>
<br> connect to Internet----- External Box ----- Internal Box ---connect to LAN<br>The connection between External and Internal Box is non-IP ethernet connection.<br><br>We decide to deploy Openswan on this non-standard firewall by installing it on Internal Box. We don't install Openswan on External Box because if the hacker can control the External, it can read the content of all IPSEC packets. We want to avoid it. <br>
<br>When we configure Openswan at Internal, the IP address of left/ right VPN gateway is the IP address of External (Public IP to Internet), but the Internal does not have any interface whose IP is the same with IP address of External. The problem is from that. So we need to modify the path of packets coming to Internal.<br>
<br>We're going to capture all packets on IKE exchanges and push to queue (using Netfilter and libiq), Openswan will listen on this queue, if there is any packet on the queue, Openswan will process it. This will bypass routing lookup process.<br>
<br>After reading source code of Openswan, I can not find the functions to receive the packets from transport layer and push into application ? and the functions to send packets to socket.<br><br>Can you help me to show those functions in Openswan source code ?<br>
<br>Thank you very much.<br><br>Best regards,<br><br>LNSon.<br><div class="gmail_quote">On Sat, Nov 27, 2010 at 3:11 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">On Thu, 25 Nov 2010, Le Ngoc Son wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
In order to install/ integrate Openswan on my firewall successfully, I need to modify the Openswan source code. The purpose of my works is finding the<br>
receive/send function on IKE implementation then modify it for capturing all packets at layer 3 before routing process (using libiq). I discovered source<br>
code of Openswan but I can not find functions relating to it.<br>
</blockquote>
<br></div>
I am not sure I understand what you are trying to do.<br>
<br>
You can capture IKE packets before to are received/send using the TAP_ROOM facility, but that is really<br>
meany for injecting things for test scenarios, and not production use.<br>
<br>
Why do you need to capture? Do you just want to log certain things? Or modify behaviour?<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>================================================<br>Le Ngoc Son,<br>Computer Network and Telecommunication Department,<br>Faculty of Information Technology,<br>Natural Sciences University,<br>
National University of HCM City, Vietnam.<br>Email: <a href="mailto:lnson@fit.hcmuns.edu.vn">lnson@fit.hcmuns.edu.vn</a> , <a href="mailto:lnsonvn@gmail.com">lnsonvn@gmail.com</a><br><br>