[Oisf-users] Suricata as IPS with IPSec and internet breakout

Andreas Herz aherz at oisf.net
Thu Oct 10 19:22:06 UTC 2019


On 10/10/19 at 16:56, Vishal Kotalwar wrote:
>     I am running suricata 4.1.4 on ubuntu 16.04 in inline mode. My box also
> acts as IPSec end point for users accessing internet.

Can you give us more details about this setup, what inline mode do you
use and how do you integrate it?

>         2. Even if I pass the User traffic entering the box after ipsec
> decryption to Suricata on LAN side; the traffic will be SNATed on WAN before
> going out to internet. So user generated traffic is say from A to C, after
> SNAT it will become say B to C. Suricata has mapped a flow from A to C as
> SNAT happened at out time on WAN. Now the return reply traffic is C to B on
> WAN and suricata sees the packet as C to B only.  Suricata will add this as
> new flow from C to B as it cannot match it's original flow of A to C.
> Suricata won't be able map this as a bi-directional flow? Will it affect
> suricata's inspection capability?

I would put Suricata either at the spot where the tunnel ends and before
the SNAT and watch BOTH directions there or after SNAT and watch both
directions there. But this depends on how you built the whole setup.

Having B<->C or A<->C shouldn't change much as long as you see both
equal directions, just make sure the HOME_NET and EXTERNAL_NET are set

Andreas Herz

More information about the Oisf-users mailing list