Re: [fw-wiz] Pass-through VPN

From: Patrick M. Hausen (
Date: 10/25/04

  • Next message: Catalina Scott Contr AFCA/EVEO: "RE: [fw-wiz] Pass-through VPN"
    To: "Hughes, Chris" <>
    Date: Mon, 25 Oct 2004 22:53:03 +0200 (CEST)


    > > Inbound traffic normally requires an access-list or conduit statement to
    > > allow it to pass.
    > >
    > > But by using the sysopt connection permit-ipsec command, the inbound
    > > ipsec traffic bypasses all access-lists and counduits.
    > >
    > > Since you can't block inbound traffic on the internal interface as you
    > > can with a cisco router, the traffic cannot be filtered at this point.
    > >
    > > To lock this traffic down, use ACLs without using the sysopt command.

    > What would those ACLs look like? Allow udp ports 500 and 4500?

    No, no no ... :-)

    The point of the "sysopt connection permit-ipsec" command is to
    pass all traffic that is _in_ the VPN tunnel unchecked by ACLs.
    The externally visible ESP packets are of course always accepted.
    Same for IKE and everything else that is necessary for a succesfull
    IPSec connection.

    If the sysopt command is active, after establishing a VPN tunnel
    by e.g. an external software client, this client can tunnel
    _arbitrary_ IP traffic to the internal LAN. Browse the network
    neighborhood in a windows environment etc. pp.

    There may be scenarios when you don't want that. I have one client
    that wants to give external users access to a cluster of Citrix
    terminal servers, but nothing else. So this customer has the
    "sysopt ... permit-ipsec" disabled.
    Now the IPSec tunnel is still established without any additional
    rules, the PIX does IKE just the same way, ... only _after_ the
    tunnel is established the client can't pass traffic through
    it. Unless you create additional access rules that state e.g.

    Permit External/VPN-Client -> Internal/Citrix-Cluster TCP/ICA

    Disabling the sysopt command gives you a finer control of what is
    allowed _through_ IPSec connections, not control of the connections

    Hope that helps,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: Catalina Scott Contr AFCA/EVEO: "RE: [fw-wiz] Pass-through VPN"

    Relevant Pages

    • Re: [fw-wiz] VPN Split-tunneling: Your opinion?
      ... Do you consider a split-tunnel setup to be particularly risky to allow ... I think, for client VPN configurations, that split tunnel versus full tunnel ...
    • Re: VPN versus Terminal Server for remote workers
      ... call a 'cell phone' we call a 'mobile', ... Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN client. ... It is tunnel to the appliance or nothing. ...
    • Keepalived LVS-TUN problems with return packet
      ... If I attempt to connect to the service from a client, ... VIP, it gets sent to a RIP over the IPIP tunnel, realserver responds ... realserver is ACKing the tunnel packet, ...
    • Re: Tunneling in Ubuntu
      ... The tunnel as such definitely works for UDP or ... But user space multicast routing daemon seems to be configured a bit ... The problem was that I had not copied the keys from server to the client.. ... I tried the openvpn idea. ...
    • Re: Home WiFi Router with pfSense or m0n0wall?
      ... IPSEC tunnel to form some kind of VPN like communication between the ... client and the wifi. ...