Date: Wed, 21 Mar 2001 11:20:04 -0500 From: Mipam <mipam@ibb.net> To: security@freebsd.org Subject: nat/ipfw/ipsec interaction Message-ID: <20010321112004.D1687@bootp-20-219.bootp.virginia.edu>
next in thread | raw e-mail | index | archive | help
Hi, Yesterday i tried to setup an ipsec connection from me to a friend of mine, most simple case: just esp, transport mode, manual passwords. I didnt use ipf/nat or anything and things went well on this side (i wasnt even using freebsd). Tcpdump rocks sometimes :) On the other side nat was done, and on that same box as jail was run to host telnet in and the plan was to make an ipsec telnet session to that nat machine in which the jail for telnet was running. Normal telnet went fine :) Applying ipsec transport mode with just esp didnt work out. Running tcpdump on that box turned out, that the outside interface received the packages with the correct key number etc ... but it send a plain reset back as if we were talking to a closed port. And yes, the firewall let telnet through, for else normal telnet wouldnt have worked at all. Finally we tried it on a machine behind the nat machine to create a transport mode with just esp and manual keys. Still didnt work out. host ----internet--- freebsd nat/ipfw -- host I didnt administer the freebsd nat/ipfw machine, but i was told what he saw. In this case the traffic even didnt arrive on the internal interface from the nat box he said. Normal traffic worked fine, but it seems that natd/ipfw doesnt work to well with ipsec, even not when a machine behind the nat machine does ipsec and not the nat box itself. And i dont get that case nat should just change the ip hdr in case of an ipsec (esp transport) packet comming in. In this case i didnt receive anything back at all, and tcpdump and the nat machine showed again that it receives the packet but what happens after i dont know. So when not using ipsec to do telnet session and other session for which services are running on machines behind the freebsd nat box works all fine. As soon as were applying ipsec from these machines to eachother it wont work. The problem clearly is on the nat box, for when doing ipsec, the machine behind the nat box doesnt receive any traffic at all. Does anyone have such situation running which is actually working? Are any bugs known concerning these issues? Any suggestions? Bye, Mipam. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010321112004.D1687>