[squid-users] Transparent Squid proxy through IPSec from Edwin Pauli on 2005-06-26 (squid-users)

From: Edwin Pauli <edwin@dont-contact.us>
Date: Sun, 26 Jun 2005 19:49:37 +0200

Hi,

I'm running Squid 2.4 on a FreeBSD machine.
Two days ago, i've configured IPSec for my wireless LAN. So i have a wired LAN
and a secure wireless LAN.

Squid runs on the wired LAN as a transparent proxy. The clients on the network
will be always redirect through the proxy, even they have no proxy server
configured. It works great.

The configuration for ipnat (to redirect HTTP traffic through Squid) is:

rdr sis0 0/0 port 80 -> 127.0.0.1 port 3128 tcp

sis0 = wired LAN interface on FreeBSD server.

I want to configure this also for the wireless LAN. But i think it's a problem
because the wireless LAN is secured by IPSec. The IP header en body are
encrypted with AH and ESP.

When i run tcpdump on the unsecured (no IPSec) wired LAN, i see this:

19:43:04.275456 PIV-2400.epauli.dyndns.org.36704 > www.xs4all.nl.http: F
2306:2306(0) ack 25327 win 14060 <nop,nop,timestamp 25426808 442068678> (DF)
19:43:04.275479 www.xs4all.nl.http > PIV-2400.epauli.dyndns.org.36704: . ack
2307 win 65535 <nop,nop,timestamp 442068680 25426808> (DF)

Ipnat (i use that for redirection HTTP traffic on port 80 through Squid) can
handle that traffic, because source and destination adress and portnumbers
are viewable.

When i run tcpdump for the secured connection, the only thing i can see is ESP
encrypted traffic and the source and destination IPv4-adress and no
portnumbers.

19:41:35.457404 192.168.2.3 > 192.168.2.1: AH(spi=0x04572f8e,seq=0xc3a0):
ESP(spi=0x06211586,seq=0xc3a0) (DF)
19:41:35.465699 192.168.2.1 > 192.168.2.3: AH(spi=0x0eda8b37,seq=0x164bc):
ESP(spi=0x077870a2,seq=0x164bc)
19:41:35.468010 192.168.2.3 > 192.168.2.1: AH(spi=0x04572f8e,seq=0xc3a1):
ESP(spi=0x06211586,seq=0xc3a1) (DF)
19:41:35.475919 192.168.2.1 > 192.168.2.3: AH(spi=0x0eda8b37,seq=0x164bd):
ESP(spi=0x077870a2,seq=0x164bd)

I think it's not possible to transparent redirect traffic to Squid, when IPSec
is used, because no traffic data is available.
True or not true?

Can someone tell me how i can redirect traffic through Squid, on a IPsec
secured (wireless) LAN?

Thanks!

-- 
Edwin Pauli

Received on Sun Jun 26 2005 - 11:49:41 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:03 MDT