[Openswan Users] Controlling XFRM policies to prevent spoofing
msmith at cbnco.com
Thu Jan 11 14:18:50 EST 2007
I'm using openswan 2.4.7 and netkey (kernel 188.8.131.52). I am trying to
figure out how to create IPsec policies to require that inbound traffic
from certain IP ranges can only be forwarded if it came in over IPsec.
Let's say I have a main office subnet, 10.10.1.0/24, and 100 satellite
offices connecting to it, each with one internal subnet:
... and so on up to 10.20.100.0/24, with future expansion planned up to
On the main office security gateway I also have firewall rules allowing
satellite workstations - anything in 10.20.0.0/16 - to do various things
to servers in 10.10.1.0/24.
This is a little dangerous, because although 10.20.1-101 will be protected
by kernel IPsec policies, 10.20.101-255 would be wide open. Someone on the
Internet could inject packets claiming to come from 10.20.101.1, and
if they controlled the ISP's routers, they could even get replies.
I can get Openswan to create outbound IPsec policies covering all of
10.20.0.0/16 by creating and routing some dummy tunnels on the main
leftid="/CN=not going to work"
rightid="/CN=also not going to work"
This actually works, and creates XFRM policies preventing the main office
subnet (10.10.1.0/24) from sending replies to unused satellite
# ip xfrm policy show
src 10.20.1.0/24 dst 10.20.0.0/16
dir out priority 2348
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
But it still allows spoofed packets from 10.20.101-255 to be forwarded to
10.10.1.0/24. Is there a way to trick Openswan into creating dummy
policies that would block those inbound packets? I could create the XFRM
rules by hand, but I think Openswan might delete them at any time, right?
More information about the Users