[Openswan Users] About receive/send functions of Openswan

Paul Wouters paul at xelerance.com
Tue Dec 7 13:14:49 EST 2010


On Tue, 7 Dec 2010, Le Ngoc Son wrote:

> Let me explain more details about what I'm working.
> 
> We deployed a firewall system called non-standard firewall to prevent hop-by-hop attacks. This is called non-standard firewall because it includes two boxes (install Linux)
> which connect together using non-ip ethernet connection.  The model is below:
> 
>                              connect to Internet----- External Box ----- Internal Box ---connect to LAN
> The connection between External and Internal Box is non-IP ethernet connection.
> 
> We decide to deploy Openswan on this non-standard firewall  by installing it on Internal Box. We don't install Openswan on External Box  because if the hacker can control the
> External, it can read the content of all IPSEC packets. We want to avoid it.
> 
> When we configure Openswan at Internal, the IP address of left/ right VPN gateway is the IP address of External (Public IP to Internet), but the Internal does not have any
> interface whose IP is the same with IP address of External. The problem is from that. So we need to modify the path of packets coming to Internal.
> 
> We're going to capture all packets on IKE exchanges and push to queue (using Netfilter and libiq), Openswan will listen on this queue, if there is any packet on the queue,
> Openswan will process it. This will bypass routing lookup process.

Why don't you use a "port forward" encapsulated over the non-ip ethernet
connection.  Openswan's left (local) should just be its "external ip",
even if that is going to be NAT'ed (eg by External) If the portforward
sends the packet destined for External to the IP on Internal.

Though granted, this builds an "ip ethernet" connection. between internal
and external, but then again, so does an IPsec tunnel.

Paul


More information about the Users mailing list