[Openswan Users] About receive/send functions of Openswan

Le Ngoc Son shmilt24 at gmail.com
Tue Dec 7 04:06:41 EST 2010


Dear Paul,

Sorry for late reply.

Let me explain more details about what I'm working.

We deployed a firewall system called non-standard firewall to prevent
hop-by-hop attacks. This is called non-standard firewall because it includes
two boxes (install Linux) which connect together using non-ip ethernet
connection.  The model is below:

                             connect to Internet----- External Box -----
Internal Box ---connect to LAN
The connection between External and Internal Box is non-IP ethernet
connection.

We decide to deploy Openswan on this non-standard firewall  by installing it
on Internal Box. We don't install Openswan on External Box  because if the
hacker can control the External, it can read the content of all IPSEC
packets. We want to avoid it.

When we configure Openswan at Internal, the IP address of left/ right VPN
gateway is the IP address of External (Public IP to Internet), but the
Internal does not have any interface whose IP is the same with IP address of
External. The problem is from that. So we need to modify the path of packets
coming to Internal.

We're going to capture all packets on IKE exchanges and push to queue (using
Netfilter and libiq), Openswan will listen on this queue, if there is any
packet on the queue, Openswan will process it. This will bypass routing
lookup process.

After reading source code of Openswan, I can not find the functions to
receive the packets from transport layer and push into application ? and the
functions to send packets to socket.

Can you help me to show those functions in Openswan source code ?

Thank you very much.

Best regards,

LNSon.
On Sat, Nov 27, 2010 at 3:11 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Thu, 25 Nov 2010, Le Ngoc Son wrote:
>
>  In order to install/ integrate Openswan on my firewall successfully, I
>> need to modify the Openswan source code. The purpose of my works is finding
>> the
>> receive/send function on IKE implementation then modify it for capturing
>> all packets at layer 3 before routing process (using libiq). I discovered
>> source
>> code of Openswan but I can not find functions relating to it.
>>
>
> I am not sure I understand what you are trying to do.
>
> You can capture IKE packets before to are received/send using the TAP_ROOM
> facility, but that is really
> meany for injecting things for test scenarios, and not production use.
>
> Why do you need to capture? Do you just want to log certain things? Or
> modify behaviour?
>
> Paul
>



-- 
================================================
Le Ngoc Son,
Computer Network and Telecommunication Department,
Faculty of Information Technology,
Natural Sciences University,
National University of HCM City, Vietnam.
Email: lnson at fit.hcmuns.edu.vn , lnsonvn at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101207/932591e1/attachment-0001.html 


More information about the Users mailing list