Re: [m0n0wall] IPSEC Site-to-site VPN firewall

From:	Peter Curran <lists at closeconsultants dot com>
To:	Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSEC Site-to-site VPN firewall
Date:	Fri, 28 Jan 2005 10:33:57 +0000
FYI

The solution here is not gif(4)... this is a blind alley.

[gif(4) is really a v6-over-v4 tunnelling solution that just so happens to 
handle v4-over-v4 as well.  It is not very interoperable with commercial kit, 
or even other *BSD/Linux systems.]

The solution is the gre(4) device.  All the *BSDs share the same NetBSD 
implementation of gre(4).  This supports GREv2 and IPIP (RFC 2004 I think) 
tunnelling.  GRE is the default for Cisco and is also supported by Microsoft 
RRAS, Microsoft also supports IPIP and a quick check of the Cisco IOS 12.2 
here suggest that Cisco does also.  Both are supported by Linux, *BSD 
generally and stuff like FW-1.

I have been using both systems for some years for VPN building as they allow a 
routing protocol across the VPN, provide an interface against which to 
statically route and apply firewall rules.

Of course, these are simply tunnelling protocols - you have to use IPsec 
transport mode to sceure the traffic in the tunnel.  Implementing this in 
m0n0 is a snip (in fact I think that I could have working prototype code in a 
few days).

There is a down-side (no free lunch here):  When using this type of tunnelling 
it is necessary to ensure that packets spoofing either the addresses at the 
remote site and/or the remote tunnel endpoint cannot get onto the box by use 
of suitable filters.  I have a standard set of Cisco ACL's that I use to do 
this and I should be able to adapt these for m0n0wall.

Incidentally, the 4.x FreeBSD implementation of gre(4) is old as the hills (in 
fact 4.x FreeBSD is beginning to dissapoint in many areas - don't get me onto 
the completely useless bridging system!).  The later version on NetBSD/
OpenBSD supports auto tunnelling to a web cache server using the Cisco WCCPv1 
protocol (derived from GRE) - this is supported by Squid - and makes a nice 
way of providing integrated content filtering using m0n0 as the firewall 
frontend.

Whadya think guys? Manuel?  

On Friday 28 January 2005 03:10, Chris Buechler wrote:
> On Thu, 27 Jan 2005 21:25:28 +0100, Manuel Kasper <mk at neon1 dot net> wrote:
> > I haven't looked into using gif interfaces in conjunction with IPsec
> > tunnels, but if anyone can propose a secure (resistant to spoofing)
> > and interoperable (with other IPsec implementations) solution, that
> > would be very interesting.
>
> From my past experience with gif interfaces, interoperability presents
> a huge problem.  They have worked great between two FreeBSD boxes for
> me in the past, but haven't worked at all with other (commercial)
> IPsec devices.  m0n0wall's current IPsec is interoperable with pretty
> much anything that does standard IPsec.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

-- 
----------------------------------------------------------------------------
Peter Curran				  Leveraging Internet Technology
Close Consultants			       for Businesses
p: +44-1225-463700			 
f: +44-1225-463705			  
e: peter at closeconsultants dot com		  
sip: peter at closeconsultants dot com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.