From owner-freebsd-questions Fri Apr 13 18:23:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id 5AB8137B509 for ; Fri, 13 Apr 2001 18:23:38 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f3E1OkA31841; Fri, 13 Apr 2001 20:24:46 -0500 Message-ID: <3AD7A68C.1CBCDF7A@aurora.regenstrief.org> Date: Sat, 14 Apr 2001 01:23:24 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Steve Watt Cc: questions@FreeBSD.ORG Subject: Re: IPsec painful setup... References: <200104132353.f3DNr8B82866@wattres.Watt.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Steve, if you try the old gif tunnel method with IPsec transport mode ESP it will not work through a NAT box. The problem is transport mode will choke on any change in the IP header, and NAT changes the src address and port. I suggest you use FreeBSD as the NAT box. Works nicely, if you have just one tunnel. Also if you have an "other IPsec capable router" at the other end, it will most certainly not understand the gif-tunnel + ESP transport mode hack. You need to use IPsec ESP tunnel mode properly. Tunnel mode might work through the NAT box, I believe. regards -Gunther Steve Watt wrote: > > I've got a situation where I'm trying to set up an IPsec ESP tunnel > to a box that's on the far side of a NAT box. I've successfully set > up an IPsec tunnel to my box at home, but it's smart enough to have > a routable IP address on one interface, unlike this other situation. > > Here's a picture of what I'm trying; maybe someone can help: > > (internal net A) (DSL line) > +---------+ | +---------+ | +-------------+ > | FreeBSD | v | | v | Other IPsec | > | box +---+ NAT rtr +-- inet --+ capable +--- internal net B > | ("A") | | | | router | > +---------+ +---------+ +-------------+ > > Because it's a DSL line from the NATing router, I can't just hook up > the network interface with the routable address to box A. > > The starting configuration is pretty much as described in the IPsec > mini-howto on DaemonNews. > > So, the questions are as follows: > > 1. What address should I configure the local part of gif0 with? The one > associated with the DSL line, or the (static) NATted address of box A? > 2. Same question, but in the SPD > 3. Will I need to consume an extra subnet for the internal address of > gif0, or put it on internal net B's range (with a proxy arp), or ...? > > I can't seem to locate anything that provides adequate clues in this > area; maybe I'm just SOL and need to upgrade the NAT rtr? > > Thanks, > > -- > Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" > Internet: steve @ Watt.COM Whois: SW32 > Free time? There's no such thing. It just comes in varying prices... > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message