[Openswan Users] Controlling XFRM policies to prevent spoofing

Michael Smith msmith at cbnco.com
Thu Jan 11 14:18:50 EST 2007 

Hi all,

I'm using openswan 2.4.7 and netkey (kernel 2.6.18.3). I am trying to 
figure out how to create IPsec policies to require that inbound traffic 
from certain IP ranges can only be forwarded if it came in over IPsec.

Let's say I have a main office subnet, 10.10.1.0/24, and 100 satellite 
offices connecting to it, each with one internal subnet:
- 10.20.1.0/24
- 10.20.2.0/24
- 10.20.3.0/24
- 10.20.4.0/24
  ... and so on up to 10.20.100.0/24, with future expansion planned up to 
10.20.200.0/24.

On the main office security gateway I also have firewall rules allowing 
satellite workstations - anything in 10.20.0.0/16 - to do various things 
to servers in 10.10.1.0/24.

This is a little dangerous, because although 10.20.1-101 will be protected 
by kernel IPsec policies, 10.20.101-255 would be wide open. Someone on the 
Internet could inject packets claiming to come from 10.20.101.1, and 
if they controlled the ISP's routers, they could even get replies.

I can get Openswan to create outbound IPsec policies covering all of 
10.20.0.0/16 by creating and routing some dummy tunnels on the main 
security gateway:

conn dummy
	leftsubnet=10.10.1.0/24
	rightsubnet=10.20.0.0/16
	#
	left=127.0.0.1
	leftnexthop=99.99.99.99
	leftid="/CN=not going to work"
	right=127.0.0.2
	rightnexthop=99.99.99.99
	rightid="/CN=also not going to work"
	#
	auto=route

This actually works, and creates XFRM policies preventing the main office 
subnet (10.10.1.0/24) from sending replies to unused satellite 
subnets (10.20.101-255).

# ip xfrm policy show
...
src 10.20.1.0/24 dst 10.20.0.0/16
        dir out priority 2348
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport

But it still allows spoofed packets from 10.20.101-255 to be forwarded to 
10.10.1.0/24. Is there a way to trick Openswan into creating dummy 
policies that would block those inbound packets? I could create the XFRM 
rules by hand, but I think Openswan might delete them at any time, right?

Thanks,
Mike

More information about the Users mailing list