[Openswan Users] Questions from a beginner ;)

David Clymer dclyme at hrcsb.org
Fri Aug 20 11:10:57 CEST 2004 

Thus quoth Toby Corkindale:
> To: users at openswan.org
> From: Toby Corkindale <openswan at wintrmute.net>
> Subject: Re: [Openswan Users] Questions from a beginner ;)
> 
> On Fri, Aug 20, 2004 at 09:18:54AM -0400, David Clymer wrote:
> > Thus quoth Thomas Henneberger:
> > > To: users at openswan.org
> > > From: Thomas Henneberger <T.Henneberger at Hcs-Computer.de>
> > > Subject: [Openswan Users] Questions from a beginner ;)
> > > 
> > > Hello list
> > > 
> > > The first decision I have to make is what Distribution and Kernel to 
> > > use. According to some docs
> > > I read I could use a 2.6 Kernel with the internal IpSec-stack and just 
> > > install the Userland-Tools, other docs tell me that using a 2.6 Kernel 
> > > could make problems with Klips and the internal Ipsec stack. Some people 
> > > told me to use a 2.4 Kernel and stick with Klips. Nate Carlson writes 
> > > that a 2.4. Debian should work fine without touching the Kernel.
> > > All that got me confused ;)
> > > 
> > 
> > Openswan will work with both, so whichever you choose will work just
> > fine. However, one noticable difference between the two, is that, when
> > you set up a VPN with KLIPS, you "see" the unencrypted traffic come in 
> > on its own interface (called ipsec0, ipsec1, etc, depending on how many
> > you've set up). This is not the case with the "native" kernel code. If
> > you are planning to set up firewall rules on this box, you may find it
> > useful to have an ipsec interface for use in categorizing or
> > differentiating traffic which comes in on the VPN from unencrypted (and
> > less trusted?) traffic which is recieved on your ethernet interface.
> 
> Note that you can still categorise the traffic from a firewall point of view
> on 2.6, but that you can't use tcpdump to view both.
> ie. on 2.4 you can do
> tcpdump -i ppp0	# views encrypted traffic
> and
> tcpdump -i ipsec0 # views unencrypted traffic

2.4 & KLIPS. You can get 2.4 with backported native ipsec. For example, I'm 
running a debian 2.4.26 kernel with native ipsec.

> 
> but on 2.6, you can only do
> tcpdump -i ppp0	# views encrypted traffic
> 
> 
> Also, the way you categorise traffic at the firewall is different, too.
> 

I'm not sure I underdstand what you mean here. For the purposes of
clarification, I was talking about the following:

# allow IPsec reciept on eth0
iptables --append INPUT --in-interface eth0 --protocol udp --source 44.33.22.11 --port 500 --jump ACCEPT 
iptables --append INPUT --in-interface eth0 --protocol esp --source 44.33.22.11 --jump ACCEPT 

# apply rules to unencrypted traffic coming over VPN
iptables --append FORWARD --in-interface ipsec0 --protocol tcp --destination 192.168.10.5 --destination-port 25 --jump ACCEPT 

as opposed to

# all rules, applying to both encrypted and unencrypted data apply to the same interface
iptables --append INPUT --in-interface eth0 --protocol udp --source 44.33.22.11 --port 500 --jump ACCEPT 
iptables --append INPUT --in-interface eth0 --protocol esp --source 44.33.22.11 --jump ACCEPT 
iptables --append FORWARD --in-interface eth0 --protocol tcp --destination 192.168.10.5 --destination-port 25 --jump ACCEPT 

I like the logical separation of the rules in scenario one, as opposed to 
scenario two. It just makes more sense to me, when trying to think
through the rules and the flow of traffic.

-davidc

More information about the Users mailing list