chicha
December 14th 03, 02:40 AM
Hello All,
I'd like to use IPSec to encrypt all the traffic in a given subnet.
Let's call this subnet CryptedNet.
I'm trying to write the correct policies to use IPSec according to the
following rules :
a) communication between each computers in CrypteNet must use IPSec.
b) communication between computers inside CryptedNet and computers
outside CrypteNet must be routed via a gateway, communication between
the computer and the gateway must use IPSec. Anyway, the gateway is part
of CryptedNet.
The authentification between computers is done with certificates.
I have written 2 separate policies, one for a) and one for b).
When I try to use each of this policies separetely, it's doing almost
what I'm expecting.
The policy for a) is running quite well : when I ping a computer in
CryptedNet from another one in the same subnet, the IP security is
negociated and finally used between the 2 computers (checked with tcpdump).
The policy for b) is also running but one thing is disturbing me. When I
ping a comuter outside CryptedNet from a computer inside CryptedNet (or
the reverse) IP security is negociated and used. The problem is when I
try to ping a computer from CryptedNet to another one also in
CryptedNet, the ICMP packet is sent in an ESP one to my gateway. I would
not expect the traffic between computers in Cryptnet to pass through my
gateway.
If I merge the policies for a and b, I have the same case that
previously : all the traffic from a computer in CryptNet to another one
in Cryptednet try to pass through the gateway.
What have I done wrong ?
Here is my configuration:
CryptedNet is 192.168.129.192/26
Gateway is 192.168.129.222
On a given computer (here 192.168.129.253) in CryptedNet, the routing
table is. It's the same for all the computers in CryptedNet but the
GateWay.
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 58 d9 1b ...... AMD PCNET Family PCI Ethernet
Adapter - Packet Scheduler Miniport
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.129.222 192.168.129.253
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
192.168.129.192 255.255.255.192 192.168.129.253 192.168.129.253
192.168.129.253 255.255.255.255 127.0.0.1 127.0.0.1
192.168.129.255 255.255.255.255 192.168.129.253 192.168.129.253
224.0.0.0 240.0.0.0 192.168.129.253 192.168.129.253
255.255.255.255 255.255.255.255 192.168.129.253 192.168.129.253
Default Gateway: 192.168.129.222
================================================== =========================
Persistent Routes:
None
The policy to encrypt the traffic between each computer in CryptedNet is
ipseccmd -w REG -p PolicyA -r localhost2localsubnet
-f 0+192.168.129.192/255.255.255.192
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
The one to encrypt the traffic between computers in CryptedNet and the
gateway is (for the computer 192.168.129.253)
ipseccmd -w REG -p PolicyB -r localhost2gw -t 192.168.129.222
-f 192.168.129.253/32=*
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
ipseccmd -w REG -p PolicyB -r gw2localhost -t 192.168.129.253
-f *=192.168.129.253/32 -n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
My final policy should be something like
ipseccmd -w REG -p FinalPolicy -r localhost2localsubnet
-f 0+192.168.129.192/255.255.255.192
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
ipseccmd -w REG -p FinalPolicy -r localhost2gw -t 192.168.129.222
-f 192.168.129.253/32=*
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
ipseccmd -w REG -p FinalPolicy -r gw2localhost -t 192.168.129.253
-f *=192.168.129.253/32 -n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
Any Idea ?
Thanks,
François
I'd like to use IPSec to encrypt all the traffic in a given subnet.
Let's call this subnet CryptedNet.
I'm trying to write the correct policies to use IPSec according to the
following rules :
a) communication between each computers in CrypteNet must use IPSec.
b) communication between computers inside CryptedNet and computers
outside CrypteNet must be routed via a gateway, communication between
the computer and the gateway must use IPSec. Anyway, the gateway is part
of CryptedNet.
The authentification between computers is done with certificates.
I have written 2 separate policies, one for a) and one for b).
When I try to use each of this policies separetely, it's doing almost
what I'm expecting.
The policy for a) is running quite well : when I ping a computer in
CryptedNet from another one in the same subnet, the IP security is
negociated and finally used between the 2 computers (checked with tcpdump).
The policy for b) is also running but one thing is disturbing me. When I
ping a comuter outside CryptedNet from a computer inside CryptedNet (or
the reverse) IP security is negociated and used. The problem is when I
try to ping a computer from CryptedNet to another one also in
CryptedNet, the ICMP packet is sent in an ESP one to my gateway. I would
not expect the traffic between computers in Cryptnet to pass through my
gateway.
If I merge the policies for a and b, I have the same case that
previously : all the traffic from a computer in CryptNet to another one
in Cryptednet try to pass through the gateway.
What have I done wrong ?
Here is my configuration:
CryptedNet is 192.168.129.192/26
Gateway is 192.168.129.222
On a given computer (here 192.168.129.253) in CryptedNet, the routing
table is. It's the same for all the computers in CryptedNet but the
GateWay.
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 58 d9 1b ...... AMD PCNET Family PCI Ethernet
Adapter - Packet Scheduler Miniport
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.129.222 192.168.129.253
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
192.168.129.192 255.255.255.192 192.168.129.253 192.168.129.253
192.168.129.253 255.255.255.255 127.0.0.1 127.0.0.1
192.168.129.255 255.255.255.255 192.168.129.253 192.168.129.253
224.0.0.0 240.0.0.0 192.168.129.253 192.168.129.253
255.255.255.255 255.255.255.255 192.168.129.253 192.168.129.253
Default Gateway: 192.168.129.222
================================================== =========================
Persistent Routes:
None
The policy to encrypt the traffic between each computer in CryptedNet is
ipseccmd -w REG -p PolicyA -r localhost2localsubnet
-f 0+192.168.129.192/255.255.255.192
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
The one to encrypt the traffic between computers in CryptedNet and the
gateway is (for the computer 192.168.129.253)
ipseccmd -w REG -p PolicyB -r localhost2gw -t 192.168.129.222
-f 192.168.129.253/32=*
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
ipseccmd -w REG -p PolicyB -r gw2localhost -t 192.168.129.253
-f *=192.168.129.253/32 -n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
My final policy should be something like
ipseccmd -w REG -p FinalPolicy -r localhost2localsubnet
-f 0+192.168.129.192/255.255.255.192
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
ipseccmd -w REG -p FinalPolicy -r localhost2gw -t 192.168.129.222
-f 192.168.129.253/32=*
-n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
ipseccmd -w REG -p FinalPolicy -r gw2localhost -t 192.168.129.253
-f *=192.168.129.253/32 -n ESP[MD5,3DES]3600S/50000KPFS
-a CERT:"SomethingCorrect" -lan -1p
Any Idea ?
Thanks,
François