[Openswan Users] Controlling XFRM policies to prevent spoofing

Michael Smith msmith at cbnco.com
Thu Jan 11 14:18:50 EST 2007

Hi all,

I'm using openswan 2.4.7 and netkey (kernel I am trying to 
figure out how to create IPsec policies to require that inbound traffic 
from certain IP ranges can only be forwarded if it came in over IPsec.

Let's say I have a main office subnet,, and 100 satellite 
offices connecting to it, each with one internal subnet:
  ... and so on up to, with future expansion planned up to

On the main office security gateway I also have firewall rules allowing 
satellite workstations - anything in - to do various things 
to servers in

This is a little dangerous, because although 10.20.1-101 will be protected 
by kernel IPsec policies, 10.20.101-255 would be wide open. Someone on the 
Internet could inject packets claiming to come from, and 
if they controlled the ISP's routers, they could even get replies.

I can get Openswan to create outbound IPsec policies covering all of by creating and routing some dummy tunnels on the main 
security gateway:

conn dummy
	leftid="/CN=not going to work"
	rightid="/CN=also not going to work"

This actually works, and creates XFRM policies preventing the main office 
subnet ( from sending replies to unused satellite 
subnets (10.20.101-255).

# ip xfrm policy show
src dst
        dir out priority 2348
        tmpl src dst
                proto esp reqid 0 mode transport

But it still allows spoofed packets from 10.20.101-255 to be forwarded to Is there a way to trick Openswan into creating dummy 
policies that would block those inbound packets? I could create the XFRM 
rules by hand, but I think Openswan might delete them at any time, right?


More information about the Users mailing list