[Oisf-users] Suricata as IPS with IPSec and internet breakout

[Vishal Kotalwar]

Hi All,
     I am running suricata 4.1.4 on ubuntu 16.04 in inline mode. My box 
also acts as IPSec end point for users accessing internet. My box works 
as a access gateway in a sense that User's ipsec tunnel will terminate 
on the box and then traffic will get forwarded to internet after Source 
NATting. Suricata is the first module in the system which receives all 
incoming packets from both LAN and WAN interfaces.
     I want to ...
         1. protect my box from any DoS/DDoS, port scanning kind of 
attacks from WAN side
         2. protect Users from downloading any files that may have 
trojans etc

     I am facing two problems ...
         1. for the User traffic, entering from LAN side, suricata will 
see ipsec encrypted payloads which it cannot inspect but return reply 
packets on WAN will be plaintext. Suricata won't be able to match the 
same traffic to same flow; will it?

         2. Even if I pass the User traffic entering the box after ipsec 
decryption to Suricata on LAN side; the traffic will be SNATed on WAN 
before going out to internet. So user generated traffic is say from A to 
C, after SNAT it will become say B to C. Suricata has mapped a flow from 
A to C as SNAT happened at out time on WAN. Now the return reply traffic 
is C to B on WAN and suricata sees the packet as C to B only.  Suricata 
will add this as new flow from C to B as it cannot match it's original 
flow of A to C. Suricata won't be able map this as a bi-directional 
flow? Will it affect suricata's inspection capability?

         Should I enable "async-oneside" setting in yaml for these 
cases? Will it help?

Thanks & Regards,
Vishal V. Kotalwar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191010/b4cb1bc5/attachment.html>