From owner-freebsd-net@FreeBSD.ORG Mon Jan 16 12:16:20 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 640D516A41F for ; Mon, 16 Jan 2006 12:16:20 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from caine.easynet.fr (smarthost167.mail.easynet.fr [212.180.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC88043D45 for ; Mon, 16 Jan 2006 12:16:19 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by caine.easynet.fr with esmtp (Exim 4.50) id 1EyTHV-0001hQ-SJ; Mon, 16 Jan 2006 13:16:18 +0100 Received: from localhost.localdomain (spartacus.zen.inc [192.168.1.20]) by smtp.zeninc.net (smtpd) with ESMTP id E52103F17; Mon, 16 Jan 2006 13:16:09 +0100 (CET) Received: by localhost.localdomain (Postfix, from userid 1000) id D22EA8560D; Mon, 16 Jan 2006 13:16:09 +0100 (CET) Date: Mon, 16 Jan 2006 13:16:09 +0100 From: VANHULLEBUS Yvan To: Przemyslaw Szczygielski Message-ID: <20060116121609.GA2769@zeninc.net> References: <20060116101332.8258821401E@rekin14.go2.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060116101332.8258821401E@rekin14.go2.pl> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 12:16:20 -0000 On Mon, Jan 16, 2006 at 11:13:32AM +0100, Przemyslaw Szczygielski wrote: > Well, for me the config is so complex, that I doubt anyone will > waste time on going into my config files, but, well... There's > always hope... This is not the first time I saw such configurations requests, and that's why I suggested you to ask on a public ML, because answers will also be available to others. [....] > So to make it short: IPSEC working = no NAT. IPSEC off = NAT working. > > I have attached my config files: ipsec.conf, natd.conf, racoon.conf > and rc.firewall.rules (please don't ask me why do I have ssh on 5901...) Unfortunately, your configuration attachements were filtered. But could you send ("inline" in the mail) at least your SPD configuration ? For what you want, you should have configuration like: spdadd 0/0 out ESP/tunnel/xp-FreeBSD gate/require ("pseudo setkey" syntax, view from XP host, incoming entry also required, which is reverse). The important points are "ESP" "tunnel" and "0/0" as remote traffic endpoint. On BSD side, you can have reversed spd entries, or use racoon's generate-policy feature. Is that what you have ? Another way of doing things is to use IPSec transport+L2TP, which can looks simpler from Window's side, but which I think is more complex in fact (another encapsulation level). > If you can tell me, what went wrong I'd be very grateful. And I will > surely write a detailed HOWTO for future generations... ;-) Would be welcome, perhaps on FreeBSD's docs, and at least at ipsec-tools website ! Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com