Re: Ipsec/l2tp

[Primero <primero@fastwebnet.it>]

>
> I hope someone else here can now fill in some useful details for you,  
> given
> that you're using 2.6.6
>
> Regards,
>
> Antony.
>

I'm not an expert, but AFAIK and because it works using this way i think  
that in 2.6 the process is very similar.

In 2.6 ipsec imlementation there is no Virtual interface, like ipsec0 or  
everything else, but the packets both encrypted and unencrypted come from  
the same interface , in expample eth0. They traverse netfilter two times,  
like in 2.4 , they get the first time to the INPUT chain, if accepted they  
traverse netfilter again in the normal process.

The reason i mark my packets at the STEP 1 when they come in encrypted is  
because i needed a way to identify packets that arrived ENCRYPTED, get  
decrypted and acceppted by ipsec and that are traversing the netfilter for  
the second time.
This way i can be sure that i handle only packets that have been accepted  
by ipsec and i can feel good :)
  for example, i use ipsec fot my WIFI lan and i have this kind of rules:

1) MANGLE/PREROUTING for packets arriving in esp protocol

iptables -t mangle -a PREROUTING -s $Y_WIFI_HOSTS -i $MY_WIFI_INTERFACE -p  
esp -j MARK --set-mark 10

2) INPUT for packets arriving in esp protocol

iptables -A INPUT -p esp -j ACCEPT

now IPSEC will authenticate and eventually accept the packets

3) INPUT and FORWARD for previously athenticated packets

iptables -A FORWARD -m --mark 10 -j MY_FORWARD_CHAIN
iptables -A INPUT -m --mark 10 -j MY_INPUT_CHAIN



bye



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/