[Openswan dev] Tunnel in a tunnel : Magic behaviour

Francis GASCHET fg at numlog.fr
Wed Mar 9 13:42:26 CET 2005 

Hello all,

We are using "super-freeswan-1.99.7.3" in our FireWall product (FWB family).

One of our customers uses that gateway in his office and the Greenbow 
IPSEC client on his portable PC.
The problem rises when he is in the premise of a customer of his own : 
they use a Zyxel Prestige 653 FireWall. That stupid box catch all the 
IKE packets coming back. So the client never get an answer to its first 
Main mode packet...
As the Zyxel has some VPN capacity, we imagined to setup a private 
tunnel between the client and the private LAN of our customer (private 
to private, no NAT). And this tunnel would be embedded in a "public" 
tunnel between the Zyxel and the FWB.
Before to propose that, we tested it here. Here is the configuration 
(sorry for the long lines !) :

Target PC                                 FWB500                   
             ZYXEL                                 CLIENT
---------------           -------------------------------             
---------------------------------           -----------------
192.168.20.1/32----LAN----192.168.20.254 - -FW- - 1.1.1.1 -- INET --  
2.2.2.2  - -FW- -  192.168.13.254----LAN----192.168.13.130/32
                                                       =====================
                                                       || Internet 
tunnel || (leftSN=1.1.1.1/32, rightSN=192.168.13.130/32)
                                                     
<----------------------------------------------------------------------->
                                                     
=========================================================================
                                                     ||  Private to 
private tunnel                                          ||
      
<------------------------------------------------------------------------------------------------------------------------>
                                                     ||  
(leftSN=192.168.20.1/32, rightSN=192.168.13.130/32)                ||
                                                     
=========================================================================
                                                       || Internet tunnel ||
                                                       =====================

Just before starting the embedded tunnel I minded that it couldn't work, 
because in 1.1.1.1 the esp packets from the client will go out from 
ipsec0 and will never been decrypted...
Anyway, I started the tunnels and I started a ping from 192.168.13.130 
to 192.168.20.1
When I'm in 1.1.1.1, "tcpdump -i ipsec0" shows alternatively :
- One esp packet from 192.168.13.130 to 1.1.1.1 (looks normal)
- One icmp packet from 192.168.13.130 to 192.168.20.1 : the embedded esp 
is decrypted !!!!

Nothing special has been setup in the routes.
I cannot immagine how the esp packet going out from the kernel across 
ipsec0 can go across KLIPS again !
Does anybody have any clue on HOW THAT CONFIGURATION can work ?


As far as I don't understand that, we'll use a second gateway, situated 
in the left LAN, which will be the leftsubnet of the public tunnel. It 
is less secure because it gives some visibility of the 192.168.20.1 
subnet from the 192.168.13.130 subnet... But I understand how it does work !

Thank's for any idea !

-- 
Francis GASCHET / NUMLOG
http://www.numlog.fr
Tel.: +33 (0) 130 791 616
Fax.: +33 (0) 130 819 286


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4991 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/dev/attachments/20050309/6fd7f1c1/smime.bin

More information about the Dev mailing list