Re: IPsec passthrough

[<z@s0be.net>]

On Tue, 7 Aug 2001, Pace, Jonathan wrote:

> i recently switched from a RH Linux box (kernel 2.4.3-12) using iptables to
> nat and firewall our internal network and connect to the internet.  switched
> to openbsd 2.9 using ipf and ipnat, got it all functioning and happy using
> the faqs, but now must turn to the lists for something i couldn't find
> covered in them.
>
> from a client on my internal net, i previously (through the RH box) could
> establish an IPSec tunnel to an external ipsec gateway (a nortel contivity)
> even though nat is supposed to break ipsec (or the AH portion of it anyway).
> i could only do this from one machine at a time, and i've heard it referred
> to as IPSec-passthru, where for one particular NATed host, the gateway
> machine will pass the packets through with certain udp headers unmodified
> (or some such nonsense), so that the packets aren't dropped at the secure
> gateway (which NATed packets usually are since they've been mangled).  some
> small SOHO dual ethernet routers also support this
> (http://www.netgear.com/categories.asp?xrp=4&yrp=12 and
> http://www.linksys.com/products/group.asp?grid=5).
>
> any way to introduce this feature or make it work through the OpenBSD box?
> i'd really rather not go back to RH.  I realize AH causes NATed packets to
> be dropped for a good reason (mangled packets of unverifiable origins), but
> supporting passthru shouldn't be a security concern for those boxes through
> which the packets are passing.


    If you're performing TUNNEL MODE IPSec, you should be able to have the
OpenBSD box establish the SAs with the Nortel and limit access to the
Nortel ( say, your machine only ) with your ipf rules.    This would fall
under the basic LAN-to-LAN tunnel mode ISAKMP/IPSec setup, which is
clearly documented.   The difference being that you're restricting access
to that tunnel via your ipf rules ( and I'm sure there is a way to limit
that access within the isakmpd.conf as well.. ).




.z