I am running OpenBSD 3.1 with IPFilter 3.4.29. I would like to filter
inbound IPsec traffic entering via the enc0 interface based on the internal
destination addresses (10.1.1.0/24). The problem I am having is that the
packets coming from enc0 to ipf still contain the IP headers with the address
of the tunnel end-point (193.221.14.229), instead of just the included tcp,
udp or icmp packets as they would come from a standard interface. The
following is output from 'ipmon -bxt':
27/10/2002 12:34:17.650807 enc0 @0:13 b 65.59.105.24 -> 193.221.14.229 PR
ip len 20 (80) IN
45 80 50 00 a4 1a 00 00 75 04 78 3b 41 3b 69 18 E.P.�...u.x;A;i.
c1 dd oe e5 45 00 00 3c 1a a3 00 00 80 01 6a c7 CS;.E..<.�....j�
41 3b 69 18 0a 01 01 03 08 00 46 5c 02 00 05 00 A;i.......F\....
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi
27/10/2002 12:35:25.559314 enc0 @0:13 b 65.59.105.24 -> 193.221.14.229 PR
ip len 20 (68) IN
45 80 44 00 bd 1a 00 40 75 04 1f 47 41 3b 69 18 E.D.�[EMAIL PROTECTED];i.
c1 dd oe e5 45 00 00 30 1a bc 40 00 80 06 2a b5 CS;.E..0.�@...*�
41 3b 69 18 0a 01 01 03 0b ec 03 e7 ca a7 19 62 A;i......�.�ʧ.b
00 00 00 00 70 02 22 38 b7 b3 00 00 02 04 05 b4 ....p."8��.....�
01 01 04 02 ....
Is there any way to get at the included packets with ipf on the inbound
side? I can probably set up outbound rules to filter the traffic, but
that means setting up rules on multiple interfaces. I also prefer to
use inbound rules in order make the block/pass decisions as early as
possible in the processing cycle.
Thanks for any assistance.
Bob
- Re: Filtering IPsec Traffic - Solved Bob Perkins
- Re: Filtering IPsec Traffic - Solved Bob Perkins
