[ previous ] [ next ] [ threads ]
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  Thorsten dot Ziep at web dot de
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DHCP over IPSec
 Date:  Thu, 19 May 2005 11:30:07 +0200
Hallo Thorsten!

Am Donnerstag, den 19.05.2005, 07:23 +0200 schrieb Thorsten Ziep:
> I was trying to set up an IPSec connection to my home office (road 
> warrior scenario, using DynDNS) using M0n0wall at the one side and the 
> Sentinel Client (the free one, OS W2k) on the mobile side. While 
> establishing the tunnel works pretty fine within only a few minutes of 
> work (congratulations to the programmers for the famous GUI), trying to 
> use DHCP over IPsec does not work. Currently I am using M0n0wall vers. 
> 1.1, so here are my questions:

OK. I've looked a little bit into it. Cause of your problem: As far as
m0n0wall doesn't support its own interface for IPSEC traffic you won't
be able to bind the needed dhcprelay server to it (you don't want to
have a dhcprelay on your WAN interface, do you?). You even aren't able
to bind any traffic or filter rules to IPSEC, because of having no
interface to work with. Manuel said that the use of the gif interface
(see [1] for english or [2] for german language) would be possible, but
(see [3]):

----< schnipp >----
The problem with filtering IPsec traffic is not that the decrypted
packets don't pass through ipfilter - they can be made to do that.
Actually, if IPSEC_FILTERGIF is set in the kernel config, IPsec
tunnel traffic passes through the filter twice - once when it comes
in as ESP packets (where it doesn't make much sense to filter yet
though), and again as decrypted packets on the same interface
(usually WAN). Unfortunately, AFAIK there's no way to distinguish
between successfully decrypted ESP packets and regular unencrypted
packets once they hit ipfilter, so you might actually permit
undesirable unencrypted packets as well. This is the reason why
IPSEC_FILTERGIF is not set in m0n0wall kernels.
----< schnapp >----

Furthermore Manuel isn't very convinced about IPSEC and racoon (see [4]):

----< schnipp >----
I'd prefer to get rid of that nasty, ugly, kludgy IPsec + IKE (did I 
mention that racoon sucks? ;) shit anyway - causes more headaches than 
it is worth. Too bad it's the de-facto industry standard.
----< schnapp >----

So wait for the changes being discussed after 1.2 is out.

Ciao ...
	... PIT ...

[1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
[2] http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/ipsec.html
[3] http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=130&actionargs[]=49
[4] http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=11&actionargs[]=77

 copyleft(c) by |   _-_     Dijkstra probably hates me.  -- Linus
 Peter Allgeyer | 0(o_o)0   Torvalds, in kernel/sched.c