[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Insecure routing to private nets using IPSec

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Insecure routing to private nets using IPSec
From: Joel Gudknecht <photohaus_(_at_)_gmail_(_dot_)_com>
Date: Tue, 2 Nov 2004 11:55:04 -0600
Reply-to: Joel Gudknecht <photohaus_(_at_)_gmail_(_dot_)_com>

# macros
int_if = "fxp0"
ext_if = "fxp1"

tcp_services = "{ 22 }"
icmp_types = "echoreq"

GATEWAY_A = "192.168.1.37/32"
GATEWAY_B = "192.168.1.226/32"
NETWORK_A = "10.1.1.0/24"
NETWORK_B = "192.168.2.0/24"

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> $ext_if
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# filter rules
block in  on { enc0, fxp1 } all
block out on { enc0, fxp1 } all

pass quick on lo0 all

pass in on $ext_if proto tcp from any to $ext_if port $tcp_services
flags S/SA keep state
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type
$icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# VPN Rules
# Passing in encrypted traffic from security gateways
pass in  quick on $ext_if proto esp from $GATEWAY_B to $GATEWAY_A
pass out quick on $ext_if proto esp from $GATEWAY_A to $GATEWAY_B

# Need to allow ipencap traffic on enc0.
pass in quick on enc0 proto ipencap all

# Passing in traffic from the designated subnets.
pass in  quick on enc0 from $NETWORK_B to $NETWORK_A
pass out quick on enc0 from $NETWORK_A to $NETWORK_B

# Passing in isakmpd(8) traffic from the security gateways	
pass in  quick on $ext_if proto udp from $GATEWAY_B to $GATEWAY_A port isakmp
pass out quick on $ext_if proto udp from $GATEWAY_A to $GATEWAY_B port isakmp


On Tue, 2 Nov 2004 09:24:28 -0600, Joel Gudknecht <photohaus_(_at_)_gmail_(_dot_)_com> wrote:
> Hello,
> 
> I've discovered something when trying to setup a VPN using IPSec
> between two OpenBSD gateways.
> 
> Please see this diagram for the network layout:
> 
> http://www.photohaus.org/ipsec.jpg
> 
> The IPSec tunnel works fine, I've verified nodes are sending
> encapsulated pings over the tunnel.
> 
> My problem is this, I setup a laptop on the 192.168.1 net, and I added
> a route like this:
> 
> route add 192.168.2 192.168.1.226
> 
> After adding this route I was able to ping 192.168.2.50 with no
> problems, and no authentication at all. Is by design, or does it have
> something to do with NAT?
> 
> Any insight or explanation of this would be greatly appreciated.
> 
> Can this behavior be prevented with additional filtering? I was under
> the impression that when only using the IPSec tunnel was it possible
> to access the private nets behind the firewalls.
> 
> Thank you,
> JG

References:
- Insecure routing to private nets using IPSec
  - From: Joel Gudknecht

Prev by Date: Re: pf filtering based on SA?
Next by Date: sshd PermitRootLogin problem
Previous by thread: Re: Insecure routing to private nets using IPSec
Next by thread: Documentation on setting up VPNs
Index(es):
- Date
- Thread

Visit your host, monkey.org