From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 16:30:41 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5307816A40A for ; Wed, 7 Mar 2007 16:30:41 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 508F013C4C2 for ; Wed, 7 Mar 2007 16:30:38 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27G0BQO022015; Wed, 7 Mar 2007 10:00:31 -0600 (CST) Date: Wed, 7 Mar 2007 09:59:44 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: greg.panula@lexisnexis.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 16:30:41 -0000 Hello Greg, I am writing you, because I saw your responses to a couple of messages on the freebsd-security mailing list related to freebsd vpn and nat. My situations is rather unique, and I am needing an expert's eyes to glance at it and confirm whether it is doable or not. I have a simple diagram that illustrates what I am trying to do, and it is located here (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg In the diag, the dsl modems have dynamic public ips on the internet side, and private ips on the lan side. As you can see in the diag, I am trying to have the vpn traffic from the internet forwarded to the Freebsd vpn (the machines ending in .254 on each site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and created a tunnel between the two vpn servers; according to the handbook, I should be able to ping the vpn servers using their private network addresses, but I am not able to do that. I realize that my implementation is not exactly like the handbook's, but what do I need to do to get it to work? I have googled, and researched all over the net without much progress. I have seen a lot of messages related to nat and enabling vpn passthrough on different dsl modems and so forth, which I have tried to do, but still, no progress. Any clues and pointers would be appreciated. thanks robert From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 17:28:44 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 97E0216A405 for ; Wed, 7 Mar 2007 17:28:44 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 2E7E913C428 for ; Wed, 7 Mar 2007 17:28:43 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id 62CD53F6F; Wed, 7 Mar 2007 18:06:17 +0100 (CET) Date: Wed, 7 Mar 2007 18:06:17 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20070307170617.GA2799@zen.inc> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 17:28:44 -0000 On Wed, Mar 07, 2007 at 09:59:44AM -0600, Robert Johannes wrote: > Hello Greg, > I am writing you, because I saw your responses to a couple of messages on > the freebsd-security mailing list related to freebsd vpn and nat. Well, I'm not Greg, but hi, and here are some informations :-) > My situations is rather unique, and I am needing an expert's eyes to > glance at it and confirm whether it is doable or not. I have a simple > diagram that illustrates what I am trying to do, and it is located here > (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg I'm not sure I understood exactly what you want to do, but I think your setup is really common. > In the diag, the dsl modems have dynamic public ips on the internet side, > and private ips on the lan side. If both DSL modems have dynamic IPs, you'll have a first problem: being able to know the correct IP of your peer, then a second problem: being able to detect when peer's IP change. I'll consider you are able to do that. > As you can see in the diag, I am trying to have the vpn traffic from the > internet forwarded to the Freebsd vpn (the machines ending in .254 on each > site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and > created a tunnel between the two vpn servers; according to the handbook, I > should be able to ping the vpn servers using their private network > addresses, but I am not able to do that. I realize that my implementation > is not exactly like the handbook's, but what do I need to do to get it to > work? I have googled, and researched all over the net without much > progress. > > I have seen a lot of messages related to nat and enabling vpn passthrough > on different dsl modems and so forth, which I have tried to do, but still, > no progress. Some informations: - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just forget that part and use directly IPSec tunnels without Gif interfaces. - You'll probably need NAT-T support so your VPN tunnel will be more likely to work (well, it may work without NAT-T, but it is more complex and needs lots of constraints between both FreeBSD gates). Make a quick seach on freebsd-net, get the kernel patch from http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel with NAT-T support, reinstall your world, then recompile/reinstall ipsec-tools port. - When your tunnel will be up, you'll probably want to lower the TCPMSS for traffic which goes through the tunnel, but this is another story :-) Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 18:04:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A928F16A404 for ; Wed, 7 Mar 2007 18:04:42 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 695F713C49D for ; Wed, 7 Mar 2007 18:04:42 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27I4iQO026597; Wed, 7 Mar 2007 12:05:04 -0600 (CST) Date: Wed, 7 Mar 2007 12:04:17 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: VANHULLEBUS Yvan In-Reply-To: <20070307170617.GA2799@zen.inc> Message-ID: References: <20070307170617.GA2799@zen.inc> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 18:04:42 -0000 Thanks for your response. My freebsd vpn servers are behind the dsl routers at each site which. The modems have firewall and NAT turned on. The vpn servers are part of the local LANs, and I have port-forwarding setup between the dsl modems and the vpn servers. E.g, when traffic comes from the internet destined for port 500, I forward that traffic to the vpn servers (192.168.x.254 on the diagram). The freebsd servers are not running a firewall or NAT at this point. I don't think they need to run NAT, but I haven't decided on the firewall yet. So, given that situation, I don't know if the NAT changes to the kernel you are suggesting below would help, since NAT is happening on the dsl routers. I am guessing my problem is between the vpn server and the dsl router's NAT capability. I have done a tcpdump on the gif interface, and I can see the ping requests being made across it, but there's no response. I don't even know if the traffic is making it beyond the vpn box, let alone beyond the dsl modem. About dynamic ip: The dsl routers have been configured to use the dyndns service, and each time the ip address changes, dyndns is updated as well. So, any other insight into this situation? thanks robert On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > >> My situations is rather unique, and I am needing an expert's eyes to >> glance at it and confirm whether it is doable or not. I have a simple >> diagram that illustrates what I am trying to do, and it is located here >> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg > > I'm not sure I understood exactly what you want to do, but I think > your setup is really common. > > >> In the diag, the dsl modems have dynamic public ips on the internet side, >> and private ips on the lan side. > > If both DSL modems have dynamic IPs, you'll have a first problem: > being able to know the correct IP of your peer, then a second problem: > being able to detect when peer's IP change. > > I'll consider you are able to do that. > > >> As you can see in the diag, I am trying to have the vpn traffic from the >> internet forwarded to the Freebsd vpn (the machines ending in .254 on each >> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and >> created a tunnel between the two vpn servers; according to the handbook, I >> should be able to ping the vpn servers using their private network >> addresses, but I am not able to do that. I realize that my implementation >> is not exactly like the handbook's, but what do I need to do to get it to >> work? I have googled, and researched all over the net without much >> progress. >> >> I have seen a lot of messages related to nat and enabling vpn passthrough >> on different dsl modems and so forth, which I have tried to do, but still, >> no progress. > > Some informations: > > - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just > forget that part and use directly IPSec tunnels without Gif > interfaces. > > - You'll probably need NAT-T support so your VPN tunnel will be more > likely to work (well, it may work without NAT-T, but it is more > complex and needs lots of constraints between both FreeBSD gates). > Make a quick seach on freebsd-net, get the kernel patch from > http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel > with NAT-T support, reinstall your world, then recompile/reinstall > ipsec-tools port. > > - When your tunnel will be up, you'll probably want to lower the > TCPMSS for traffic which goes through the tunnel, but this is > another story :-) > > > > Yvan. > > -- > NETASQ > http://www.netasq.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 21:24:43 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 855D216A400 for ; Wed, 7 Mar 2007 21:24:43 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 1892613C4AC for ; Wed, 7 Mar 2007 21:24:43 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7]) by smtp.zeninc.net (smtpd) with ESMTP id 0BBCE3F17 for ; Wed, 7 Mar 2007 22:24:42 +0100 (CET) Received: by jayce.zen.inc (Postfix, from userid 1000) id 9DE062E16E; Wed, 7 Mar 2007 22:24:42 +0100 (CET) Date: Wed, 7 Mar 2007 22:24:42 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20070307212442.GA1384@jayce.zen.inc> References: <20070307170617.GA2799@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 21:24:43 -0000 On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: > Thanks for your response. My freebsd vpn servers are behind the dsl > routers at each site which. The modems have firewall and NAT turned on. > The vpn servers are part of the local LANs, and I have port-forwarding > setup between the dsl modems and the vpn servers. E.g, when traffic comes > from the internet destined for port 500, I forward that traffic to the vpn > servers (192.168.x.254 on the diagram). If your redirection only works for port 500, it won't be enough, as it will only allow IKE negociations, not encrypted traffic. You'll have to add forwarding for ESP protocol, or use NAT-T patch and also forward UDP 4500 port. > The freebsd servers are not running a firewall or NAT at this point. I > don't think they need to run NAT, but I haven't decided on the firewall > yet. > > So, given that situation, I don't know if the NAT changes to the kernel > you are suggesting below would help, since NAT is happening on the dsl > routers. I am guessing my problem is between the vpn server and the dsl > router's NAT capability. I have done a tcpdump on the gif interface, and > I can see the ping requests being made across it, but there's no response. > I don't even know if the traffic is making it beyond the vpn box, let > alone beyond the dsl modem. The NAT-T patch I was talking about adds the kernel part of an *IPSec* feature: support for NAT-Traversal extension (RFCs 3947 and 3948), which allows IPSec tunnels to be established if there is some NAT between IPSec gates. This is exactly your setup. The tcpdump on your GIF interface will only show you that FreeBSD correctly routes the packet to that interface..... > About dynamic ip: The dsl routers have been configured to use the dyndns > service, and each time the ip address changes, dyndns is updated as well. You'll still have the problem "detecting when the peer's IP change". Yvan. -- NETASQ http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 21:55:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4E2A16A404 for ; Wed, 7 Mar 2007 21:55:24 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp803.mail.ird.yahoo.com (smtp803.mail.ird.yahoo.com [217.146.188.63]) by mx1.freebsd.org (Postfix) with SMTP id 4A77C13C441 for ; Wed, 7 Mar 2007 21:55:24 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 78678 invoked from network); 7 Mar 2007 21:28:43 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp803.mail.ird.yahoo.com with SMTP; 7 Mar 2007 21:28:43 -0000 X-YMail-OSG: pC0klVYVM1mrEMkHDHVooi.9O7G.7zxub980BHsBdE8R4tmAB76pNUzQLoG9EiwS7M297oBRAu09JNmjrBAyalMsGVlw2Z6u2P8QGD.PTaCijCCJrZA1z7nZFykabg-- Message-ID: <45EF2EFF.5080407@tomjudge.com> Date: Wed, 07 Mar 2007 21:30:39 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20070307170617.GA2799@zen.inc> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 21:55:25 -0000 Robert Johannes wrote: > On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > >> >>> My situations is rather unique, and I am needing an expert's eyes to >>> glance at it and confirm whether it is doable or not. I have a simple >>> diagram that illustrates what I am trying to do, and it is located here >>> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg >> >> I'm not sure I understood exactly what you want to do, but I think >> your setup is really common. >> >> >>> In the diag, the dsl modems have dynamic public ips on the internet >>> side, >>> and private ips on the lan side. >> >> If both DSL modems have dynamic IPs, you'll have a first problem: >> being able to know the correct IP of your peer, then a second problem: >> being able to detect when peer's IP change. >> >> I'll consider you are able to do that. >> >> >>> As you can see in the diag, I am trying to have the vpn traffic from the >>> internet forwarded to the Freebsd vpn (the machines ending in .254 on >>> each >>> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, >>> and >>> created a tunnel between the two vpn servers; according to the >>> handbook, I >>> should be able to ping the vpn servers using their private network >>> addresses, but I am not able to do that. I realize that my >>> implementation >>> is not exactly like the handbook's, but what do I need to do to get >>> it to >>> work? I have googled, and researched all over the net without much >>> progress. >>> >>> I have seen a lot of messages related to nat and enabling vpn >>> passthrough >>> on different dsl modems and so forth, which I have tried to do, but >>> still, >>> no progress. >> >> Some informations: >> >> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just >> forget that part and use directly IPSec tunnels without Gif >> interfaces. >> >> - You'll probably need NAT-T support so your VPN tunnel will be more >> likely to work (well, it may work without NAT-T, but it is more >> complex and needs lots of constraints between both FreeBSD gates). >> Make a quick seach on freebsd-net, get the kernel patch from >> http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel >> with NAT-T support, reinstall your world, then recompile/reinstall >> ipsec-tools port. >> >> - When your tunnel will be up, you'll probably want to lower the >> TCPMSS for traffic which goes through the tunnel, but this is >> another story :-) >> >> > Thanks for your response. My freebsd vpn servers are behind the dsl > routers at each site which. The modems have firewall and NAT turned on. > The vpn servers are part of the local LANs, and I have port-forwarding > setup between the dsl modems and the vpn servers. E.g, when traffic > comes from the internet destined for port 500, I forward that traffic to > the vpn servers (192.168.x.254 on the diagram). > > The freebsd servers are not running a firewall or NAT at this point. I > don't think they need to run NAT, but I haven't decided on the firewall > yet. > > So, given that situation, I don't know if the NAT changes to the kernel > you are suggesting below would help, since NAT is happening on the dsl > routers. I am guessing my problem is between the vpn server and the dsl > router's NAT capability. I have done a tcpdump on the gif interface, > and I can see the ping requests being made across it, but there's no > response. I don't even know if the traffic is making it beyond the vpn > box, let alone beyond the dsl modem. > > About dynamic ip: The dsl routers have been configured to use the dyndns > service, and each time the ip address changes, dyndns is updated as well. > > So, any other insight into this situation? If you are using IPSec with ESP as per the handbook you will need to NAT the ESP packets back to the internal VPN routers. As ESP is IP payload protocol not a TCP/UDP payload protocol, your DSL router will probably not be able to do this. I would suggest you go with Yvan's suggestion of doing away with gif and adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP based vpn solution such as openvpn (in ports and http://openvpn.net/) which will be fully compatible with you nat setup, openvpn will also be tolerant to remote end points changing ip address half while the vpn link is active, comes in hand when used in combination with a dynamic dns service). Tom o unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 23:15:02 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7BB6E16A401 for ; Wed, 7 Mar 2007 23:15:02 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 15B8A13C478 for ; Wed, 7 Mar 2007 23:15:01 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27NF4QO030190; Wed, 7 Mar 2007 17:15:24 -0600 (CST) Date: Wed, 7 Mar 2007 17:14:37 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: VANHULLEBUS Yvan In-Reply-To: <20070307212442.GA1384@jayce.zen.inc> Message-ID: References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 23:15:02 -0000 On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). > > If your redirection only works for port 500, it won't be enough, as it > will only allow IKE negociations, not encrypted traffic. > > You'll have to add forwarding for ESP protocol, or use NAT-T patch and > also forward UDP 4500 port. Yeah, I have been trying to figure out how to forward protocols 47, 50 and 51 to the vpns without knowing whether it is successful or not. So, on to nat-t then. > > >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel >> you are suggesting below would help, since NAT is happening on the dsl >> routers. I am guessing my problem is between the vpn server and the dsl >> router's NAT capability. I have done a tcpdump on the gif interface, and >> I can see the ping requests being made across it, but there's no response. >> I don't even know if the traffic is making it beyond the vpn box, let >> alone beyond the dsl modem. > > The NAT-T patch I was talking about adds the kernel part of an *IPSec* > feature: support for NAT-Traversal extension (RFCs 3947 and 3948), > which allows IPSec tunnels to be established if there is some NAT > between IPSec gates. > > This is exactly your setup. Cool. My response above was based on not really understanding how nat played havoc on my vpn design. It sounds like NAT-T is what I should be doing then. Do you know if the patch was included in the 6.1 and 6.2 releases? Or perhaps in current/stable? It would be faster for me to reload, rather than making world; the machines I am working with are amd K6 500mhz cpus, with 186megs of ram. > > The tcpdump on your GIF interface will only show you that FreeBSD > correctly routes the packet to that interface..... > > >> About dynamic ip: The dsl routers have been configured to use the dyndns >> service, and each time the ip address changes, dyndns is updated as well. > > You'll still have the problem "detecting when the peer's IP change". I don't know yet how I will handle this; but I could probably create a script that monitors for change in the ip address, and re-initializes vpn services with the new ip. > > > > Yvan. > > -- > NETASQ > http://www.netasq.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 23:22:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4C21516A402 for ; Wed, 7 Mar 2007 23:22:33 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 0BD9713C461 for ; Wed, 7 Mar 2007 23:22:32 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27NMZQO000268; Wed, 7 Mar 2007 17:22:55 -0600 (CST) Date: Wed, 7 Mar 2007 17:22:08 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: Tom Judge In-Reply-To: <45EF2EFF.5080407@tomjudge.com> Message-ID: References: <20070307170617.GA2799@zen.inc> <45EF2EFF.5080407@tomjudge.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 23:22:33 -0000 On Wed, 7 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >>> >>>> My situations is rather unique, and I am needing an expert's eyes to >>>> glance at it and confirm whether it is doable or not. I have a simple >>>> diagram that illustrates what I am trying to do, and it is located here >>>> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg >>> >>> I'm not sure I understood exactly what you want to do, but I think >>> your setup is really common. >>> >>> >>>> In the diag, the dsl modems have dynamic public ips on the internet side, >>>> and private ips on the lan side. >>> >>> If both DSL modems have dynamic IPs, you'll have a first problem: >>> being able to know the correct IP of your peer, then a second problem: >>> being able to detect when peer's IP change. >>> >>> I'll consider you are able to do that. >>> >>> >>>> As you can see in the diag, I am trying to have the vpn traffic from the >>>> internet forwarded to the Freebsd vpn (the machines ending in .254 on >>>> each >>>> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and >>>> created a tunnel between the two vpn servers; according to the handbook, >>>> I >>>> should be able to ping the vpn servers using their private network >>>> addresses, but I am not able to do that. I realize that my >>>> implementation >>>> is not exactly like the handbook's, but what do I need to do to get it to >>>> work? I have googled, and researched all over the net without much >>>> progress. >>>> >>>> I have seen a lot of messages related to nat and enabling vpn passthrough >>>> on different dsl modems and so forth, which I have tried to do, but >>>> still, >>>> no progress. >>> >>> Some informations: >>> >>> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just >>> forget that part and use directly IPSec tunnels without Gif >>> interfaces. >>> >>> - You'll probably need NAT-T support so your VPN tunnel will be more >>> likely to work (well, it may work without NAT-T, but it is more >>> complex and needs lots of constraints between both FreeBSD gates). >>> Make a quick seach on freebsd-net, get the kernel patch from >>> http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel >>> with NAT-T support, reinstall your world, then recompile/reinstall >>> ipsec-tools port. >>> >>> - When your tunnel will be up, you'll probably want to lower the >>> TCPMSS for traffic which goes through the tunnel, but this is >>> another story :-) >>> >>> >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). >> >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel you >> are suggesting below would help, since NAT is happening on the dsl routers. >> I am guessing my problem is between the vpn server and the dsl router's NAT >> capability. I have done a tcpdump on the gif interface, and I can see the >> ping requests being made across it, but there's no response. I don't even >> know if the traffic is making it beyond the vpn box, let alone beyond the >> dsl modem. >> >> About dynamic ip: The dsl routers have been configured to use the dyndns >> service, and each time the ip address changes, dyndns is updated as well. >> >> So, any other insight into this situation? > > If you are using IPSec with ESP as per the handbook you will need to NAT the > ESP packets back to the internal VPN routers. As ESP is IP payload protocol > not a TCP/UDP payload protocol, your DSL router will probably not be able to > do this. Looking into adding nat-t to ipsec as we speak. > > I would suggest you go with Yvan's suggestion of doing away with gif and > adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP > based vpn solution such as openvpn (in ports and http://openvpn.net/) which > will be fully compatible with you nat setup, openvpn will also be tolerant to > remote end points changing ip address half while the vpn link is active, > comes in hand when used in combination with a dynamic dns service). As far as openvpn goes, I looked into it in October or Nov. last year, and it seemed not to be very scalable; I have 6 different offices that all need to connect and chat with each other, and it didn't seem like openvpn would allow for this to happen. I didn't investigate it much beyond that when I learned that. robert From owner-freebsd-security@FreeBSD.ORG Thu Mar 8 01:59:16 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A237E16A401 for ; Thu, 8 Mar 2007 01:59:16 +0000 (UTC) (envelope-from thomas@sanbe-farma.com) Received: from sanbe-farma.com (gwsanbe.sanbe-farma.com [202.6.239.18]) by mx1.freebsd.org (Postfix) with SMTP id 97DD813C467 for ; Thu, 8 Mar 2007 01:59:13 +0000 (UTC) (envelope-from thomas@sanbe-farma.com) Received: (qmail 10568 invoked by uid 98); 8 Mar 2007 01:32:30 -0000 Received: from 192.168.16.75 by gwsanbe.sanbe-farma.com (envelope-from , uid 82) with qmail-scanner-1.25 (clamdscan: 0.88.4/2030. spamassassin: 3.1.6. Clear:RC:1(192.168.16.75):. Processed in 0.048989 secs); 08 Mar 2007 01:32:30 -0000 X-Qmail-Scanner-Mail-From: thomas@sanbe-farma.com via gwsanbe.sanbe-farma.com X-Qmail-Scanner: 1.25 (Clear:RC:1(192.168.16.75):. Processed in 0.048989 secs) Received: from tiger-x86.itdept (HELO ?192.168.16.75?) (192.168.16.75) by gwsanbe.sanbe-farma.com with SMTP; 8 Mar 2007 01:32:30 -0000 Message-ID: <45EF67A9.9080800@sanbe-farma.com> Date: Thu, 08 Mar 2007 08:32:25 +0700 From: Thomas Wahyudi User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Robert Johannes References: <20070307170617.GA2799@zen.inc> <45EF2EFF.5080407@tomjudge.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2007 01:59:16 -0000 Robert Johannes wrote: > As far as openvpn goes, I looked into it in October or Nov. last year, > and it seemed not to be very scalable; I have 6 different offices > that all need to connect and chat with each other, and it didn't seem > like openvpn would allow for this to happen. I didn't investigate it > much beyond that when I learned that. > Hmm i think it should, I have 3 different location, all connected to HQ using openvpn, and all location can talk to each other, just dont use UDP transmission. ( it have a problem ) regards Thomas From owner-freebsd-security@FreeBSD.ORG Thu Mar 8 07:57:27 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C008716A401 for ; Thu, 8 Mar 2007 07:57:27 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp802.mail.ird.yahoo.com (smtp802.mail.ird.yahoo.com [217.146.188.62]) by mx1.freebsd.org (Postfix) with SMTP id 39F3D13C46B for ; Thu, 8 Mar 2007 07:57:27 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 75705 invoked from network); 8 Mar 2007 07:57:26 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp802.mail.ird.yahoo.com with SMTP; 8 Mar 2007 07:57:25 -0000 X-YMail-OSG: 9HsxFuMVM1mSFYIjD2vulBgPy6XpjnbStsqMsIbCB1Izh.9MlsCAxkkQik3Os1GFMIyAeohAsYKS3utZDiawNReectisEUmJtdB0DG2eWNjlQ9RRWMgDm29Ny2r5nw-- Message-ID: <45EFC25C.2060802@tomjudge.com> Date: Thu, 08 Mar 2007 07:59:24 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: Robert Johannes References: <20070307170617.GA2799@zen.inc> <45EF2EFF.5080407@tomjudge.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2007 07:57:27 -0000 Robert Johannes wrote: > On Wed, 7 Mar 2007, Tom Judge wrote: >Looking into adding nat-t to ipsec as we speak. > >> >> I would suggest you go with Yvan's suggestion of doing away with gif >> and adding the nat-t support to ipsec. Alternatively you could use a >> UDP/TCP based vpn solution such as openvpn (in ports and >> http://openvpn.net/) which will be fully compatible with you nat >> setup, openvpn will also be tolerant to remote end points changing ip >> address half while the vpn link is active, comes in hand when used in >> combination with a dynamic dns service). > > As far as openvpn goes, I looked into it in October or Nov. last year, > and it seemed not to be very scalable; I have 6 different offices that > all need to connect and chat with each other, and it didn't seem like > openvpn would allow for this to happen. I didn't investigate it much > beyond that when I learned that. > > There are no problems with connecting 6 sites together with openvpn, you could either run separate instances of openvpn for each site or using the correct configuration option that specifies all clients can talk to each other via the server. However I would have though that you would want each site to have a link to every other site directly, in which case a openvpn server at each site is you best option, with a number of clients if you use ospf/bgp you will be able to easily maintain your routing table with all these links and be able to survive a link failure as the traffic will get routed via another site rather than directly to its destination. It would be advisable to use a routing protocol such as ospf even if you decide to use IPSec as is simplifies the maintenance of the routing table, and allows new sites to be added easily and quickly. Just my 2p Tom From owner-freebsd-security@FreeBSD.ORG Sat Mar 10 19:41:17 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EDBF116A405 for ; Sat, 10 Mar 2007 19:41:17 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id ADE4F13C4B5 for ; Sat, 10 Mar 2007 19:41:17 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix1-g20.free.fr (Postfix) with ESMTP id 001AAB44A49 for ; Sat, 10 Mar 2007 20:23:48 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id EE8C67DCA; Sat, 10 Mar 2007 20:23:47 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id C2E219BF12; Sat, 10 Mar 2007 19:23:47 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 995A04063; Sat, 10 Mar 2007 20:23:47 +0100 (CET) Date: Sat, 10 Mar 2007 20:23:47 +0100 From: Jeremie Le Hen To: VANHULLEBUS Yvan Message-ID: <20070310192347.GC2887@obiwan.tataz.chchile.org> References: <20070307170617.GA2799@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070307170617.GA2799@zen.inc> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-security@freebsd.org Subject: Re: IPSec tunnel interfaces (was: freebsd vpn server behind nat dsl router) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2007 19:41:18 -0000 Hi Yvan, On Wed, Mar 07, 2007 at 06:06:17PM +0100, VANHULLEBUS Yvan wrote: > - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just > forget that part and use directly IPSec tunnels without Gif > interfaces. While I understand why using gif(4) to create IPSec tunnels is not recommended because of interoperability, administratively it is pretty useful to see the tunnel as an interface. Everything that comes along such as routes, firewall rules et al work very naturally. I'm no IPSec expert as you probably are and I seem to recall the RFC advises (requires ?) it to be implemented as a bump in a stack. However, is it reasonable to expect to see this in the future ? It seems the enc(4) interface provides this feature somehow but only for FAST_IPSEC. What is the doom of IPSEC ? Are they to be merged in the future, or is it possible to make the enc(4) work with IPSEC as well ? Thank you. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >