On Mon, Mar 04, 2002 at 06:15:16PM -0700, Dalin S. Owen wrote:
>
> I have IPsec running between two FreeBSD machines (over an 802.11b link),
> they are manually keyed (not using an IKE daemon). First question, is it
> more secure to use an IKE? I mean, doesn't it rotate keys, instead of just
> using static ones? And if I use an IKE, can those generated keys be sniffed,
> or are they encrypted with the last key?

Don't worry. Keys don't go over the network in the clear. It would
kind of break the whole system wouldn't it.

> Now, another issue. I have the following rules on each machine with ipfw (I
> am only going to show the relevant ones for simplicity):
>
> #nat box (I have a seperate interface for the 802.11 AP)
> ipfw add 10 allow esp from any to any via dc1
> #this stops anyone from using my AP
> ipfw add 20 deny ip from any to any via dc1
>
> #workstation
> ipfw add 10 allow esp from any to any
>
> Now, everything works fine. But I would like to be able to firewall the
> packets *after* they are translated by IPSec (ESP) with IPFW? How would I
> do that? They seem to only pass into IPFW once, not twice.. Can you run IPF
> with IPFW to do it, and in that case which firewalling system gets matched
> first?

Yep. They go through ipfw(8) once. If you run ipf(8), they go through
ipf(8) then ipfw(8)... once.

-- 
Crist J. Clark                     |     cjclarkalum.mit.edu
                                   |     cjclarkjhu.edu
http://people.freebsd.org/~cjc/    |     cjcfreebsd.org
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]