[Openswan Users] About receive/send functions of Openswan

Le Ngoc Son shmilt24 at gmail.com
Tue Dec 7 20:15:15 EST 2010


Dear Paul,

If we do that, we will break the principles of non-standard firewall. The
connection between two boxes must be non-ip connection.

I don't know which function of Openswan source code is run firstly when we
start ip service.

LNSon.

On Wed, Dec 8, 2010 at 1:14 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 7 Dec 2010, Le Ngoc Son wrote:
>
>  Let me explain more details about what I'm working.
>>
>> We deployed a firewall system called non-standard firewall to prevent
>> hop-by-hop attacks. This is called non-standard firewall because it includes
>> two boxes (install Linux)
>> which connect together using non-ip ethernet connection.  The model is
>> below:
>>
>>                              connect to Internet----- External Box -----
>> Internal Box ---connect to LAN
>> The connection between External and Internal Box is non-IP ethernet
>> connection.
>>
>> We decide to deploy Openswan on this non-standard firewall  by installing
>> it on Internal Box. We don't install Openswan on External Box  because if
>> the hacker can control the
>> External, it can read the content of all IPSEC packets. We want to avoid
>> it.
>>
>> When we configure Openswan at Internal, the IP address of left/ right VPN
>> gateway is the IP address of External (Public IP to Internet), but the
>> Internal does not have any
>> interface whose IP is the same with IP address of External. The problem is
>> from that. So we need to modify the path of packets coming to Internal.
>>
>> We're going to capture all packets on IKE exchanges and push to queue
>> (using Netfilter and libiq), Openswan will listen on this queue, if there is
>> any packet on the queue,
>> Openswan will process it. This will bypass routing lookup process.
>>
>
> Why don't you use a "port forward" encapsulated over the non-ip ethernet
> connection.  Openswan's left (local) should just be its "external ip",
> even if that is going to be NAT'ed (eg by External) If the portforward
> sends the packet destined for External to the IP on Internal.
>
> Though granted, this builds an "ip ethernet" connection. between internal
> and external, but then again, so does an IPsec tunnel.
>
> Paul
>



-- 
================================================
Le Ngoc Son,
Computer Network and Telecommunication Department,
Faculty of Information Technology,
Natural Sciences University,
National University of HCM City, Vietnam.
Email: lnson at fit.hcmuns.edu.vn , lnsonvn at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101208/709ae2fc/attachment.html 


More information about the Users mailing list