PF + gif + ipsec + racoon + routing problems results in insecure
Hi everyone,
I wrote up a post on the FreeBSD forums about the issue I am having. It's rather long so I am providing a link to it here: http://forums.freebsd.org/showthread.php?t=39595
In summary, it seems that when the packets are routed in to the gateway from local network hosts, the src and dst addresses are changed to the public IPs of the tunnel -- at least from the perspective of the ipsec stack. This is breaking the ESP encryption in certain cases. I found a workaround, but it is not what is documented in the handbook.
In short, if you setup a vpn per the FreeBSD Handbook article that I mention in my post, you are left with a most-insecure vpn which you believe is secure. Traffic is only secure *between* the two gateways, but *not* between hosts behind those gateways (i.e. private hosts at either site).
(I apologize in advance if I'm breaking a mailing list rule by pointing you all to the forum URL -- I'm somewhat new to the list).
Thanks,
Daniel
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"