From owner-freebsd-questions  Sun Feb 24  5: 5:42 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from moutng0.schlund.de (moutng0.kundenserver.de [212.227.126.170])
	by hub.freebsd.org (Postfix) with ESMTP id C0B9537B405
	for <freebsd-questions@freebsd.org>; Sun, 24 Feb 2002 05:05:36 -0800 (PST)
Received: from [195.20.224.148] (helo=mxintern.kundenserver.de)
	by moutng0.schlund.de with esmtp (Exim 3.22 #2)
	id 16eyLP-0002HR-00
	for freebsd-questions@freebsd.org; Sun, 24 Feb 2002 14:05:35 +0100
Received: from [172.17.29.6] (helo=alex.i.schlund.de)
	by mxintern.kundenserver.de with smtp (Exim 2.12 #3)
	id 16eyLO-0005Gg-00
	for freebsd-questions@freebsd.org; Sun, 24 Feb 2002 14:05:34 +0100
Received: (qmail 8549 invoked by uid 519); 24 Feb 2002 13:05:34 -0000
Date: Sun, 24 Feb 2002 14:05:34 +0100
From: Alex Kiesel <freebsd@document-root.de>
To: freebsd-questions@freebsd.org
Subject: IpSec behind NAT
Message-ID: <20020224130534.GA8465@schlund.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
X-Binford: 6100 (more power)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi,

I am trying to setup a Host-to-Subnet IPsec-Tunnel. The basic
configuration does work, as I can ping any host on the subnet from my
single "road-warrior"-host.

Host1                                            subnetxyz 
      \                                        /  
Host2 -  Roadwarrior --- INTERNET --- IPsec-Gw - subnetxxx 
      /                                        \ 
Host3                                            subnetbla 
 
Host1,2,3 all have private ip addresses 192.168.1.x
Subnets have distinct ip-addresses e.g. 172.17.x.x

Being logged in to Roadwarrior I can ping to any host on any of those
subnets, which I conclude from that my basic setup does work.

But the roadwarrior is my nets firewall, so working from there is not
what I want to do. I want to work from Host1. When I ping any host on
a right subnet, I can see following things:

- the ping gets nat'ed to my public ip-address [which is ok]
- the ping gets encrypted and is sent to the ipsec-gw. [ok]
- the ping reaches the destination host, and he answeres
- the answer travels back over the encrypted tunnel to my roadwarrior
- the packet even gets through my natd, but the destination address is
  not rewritten to my host1 ip-address, so does not reach me.

I have to add that the remote gateway does only permit
host-to-subnet-tunnel, so that I have to do nat. The problem is simply
that the received packets do not get rewritten...

Did anyone have had such a problem? Any help is appreciated :)

Thanks,
Alex

-- 
Alex Kiesel                                     PGP Key: 0x09F4FA11

Todays excuse: A star wars satellite accidently blew up the WAN.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message