From owner-freebsd-net@FreeBSD.ORG Thu Oct 30 14:43:27 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D84E016A4CE; Thu, 30 Oct 2003 14:43:27 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A30343FE5; Thu, 30 Oct 2003 14:43:26 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc11) with ESMTP id <2003103022432501100k862je>; Thu, 30 Oct 2003 22:43:25 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id h9UMhisb033295; Thu, 30 Oct 2003 14:43:44 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id h9UMhgai033294; Thu, 30 Oct 2003 14:43:42 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 30 Oct 2003 14:43:42 -0800 From: "Crist J. Clark" To: security@freebsd.org, net@freebsd.org Message-ID: <20031030224342.GA32640@blossom.cjclark.org> References: <20031030210509.GA667@omoikane.mb.skyweb.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031030210509.GA667@omoikane.mb.skyweb.ca> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ Subject: Re: Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 22:43:28 -0000 On Thu, Oct 30, 2003 at 03:05:09PM -0600, Mark Johnston wrote: > [ -netters, please Cc me or security@ with replies. ] > > I'm running into trouble integrating dynamic racoon-based IPSec into a network > with ipfw and natd. I need to be able to allow VPN access from any address > from authenticated clients. I've got the dynamic VPN working, with racoon > negotiating SAs and installing SPs, but the problem is that I can't tell > whether an incoming packet on the internal interface should go through natd or > not. > > The problem looks like this. I have 3 boxes, mobile, gateway, and internal, > and I'm trying to ping internal from mobile. > > - gateway receives an ESP packet from mobile (encapsulating a ping). > - gateway decrypts and transmits an ICMP packet to internal with mobile's > source address. > - internal generates the ICMP response to mobile. > - gateway receives the response, runs it through natd, and sends it out in the > clear to mobile with gateway's source address. > > The packet is going out in the clear because after natd rewrites it, its source > address is gateway's external interface - not part of the SP. This shouldn't happen. IPsec processing of the outgoing packet happens _before_ it gets passed to ipfw(8) (which hands it to natd(8)) on the external interface. > What I want to > accomplish, in pseudo-ipfw, is this: > > pass esp from any to me > pass ip from known-sp-sources to 192.168.0.0/24 > pass ip from 192.168.0.0/24 to known-sp-destinations > divert natd from 192.168.0.0/24 to any This may be your problem. That rule should be something like, divert natd from 192.168.0.0/24 to any via ${external_if} Is that what you actually have? Are you doing NAT on the internal interface? That would confuse things. > deny ip from any to 192.168.0.0/24 > pass ip from me to any keep-state > > All I'm missing is the known-sp definitions. If anyone has any pointers on > doing this, please share. If I'm going about it totally bass-ackwards, I'd > like to hear that too. :) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org