From owner-freebsd-net@FreeBSD.ORG Wed Nov 3 18:20:09 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C64B816A4CF for ; Wed, 3 Nov 2004 18:20:09 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 579C343D48 for ; Wed, 3 Nov 2004 18:20:09 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so149659wri for ; Wed, 03 Nov 2004 10:20:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=YEPqnmLU61iesaPl53RM0UujGH8DHdY701g+0DVRdNKi2xmZE2cr8FPRnAD87/oW6IZWMPw7mLNZeD/C9CpA32uwXrO3sVKQ4N5kXX1kySBcMm+kMjpGhvVjALWpdBpEV1OAZ4F0gq88uUEiMaHbjupJFOgrkLlF1sAMFYmF3g0= Received: by 10.54.50.22 with SMTP id x22mr175133wrx; Wed, 03 Nov 2004 10:20:00 -0800 (PST) Received: by 10.54.35.52 with HTTP; Wed, 3 Nov 2004 10:20:00 -0800 (PST) Message-ID: Date: Wed, 3 Nov 2004 10:20:00 -0800 From: Aaron Nichols To: freebsd-net@freebsd.org In-Reply-To: <20041102124027.GH10641@sitadelle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <62721446609.20041028214724@star-sw.com> <20041029141411.GE10641@sitadelle.com> <20041102124027.GH10641@sitadelle.com> Subject: Re: Problems with NAT on gif interface for VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 18:20:10 -0000 All, Thank you for your help. I managed to get this working. First, I had to compile the kernel to use the FAST_IPSEC option, which apparently changes processing so that traffic goes via gif0 (packet captures only see incoming traffic to gif0 however) - the IPSEC_FILTERGIF option was not sufficient to allow for divert processing apparently. I also had to configure the kernel to use ipfw2 instead of ipfw so that I could use the 'ipsec' option in the filter sets. It seems that the man page for ipfw is a bit inaccurate in this regard: Under "IPFW2 ENHANCEMENTS" of ipfw (8) it states the following: The following options are not implemented by ipfw1: dst-ip, dst-port, layer2, mac, mac-type, src-ip, src-port. Additionally, the RELENG_4 version of ipfw1 does not implement the following options: ipid, iplen, ipprecedence, iptos, ipttl, ipversion, tcpack, tcpseq, tcpwin. However, the 'ipsec' option is never mentioned - and it does not seem to work if using ipfw1. At this point, I have the following ipfw ruleset: 00001 0 0 allow ip from any to any layer2 not mac-type 0x0800 00100 13235 9607548 divert 8669 ip from any to any via gif0 00200 14890 10960619 divert 8668 ip from any to any via xl0 not ipsec 00300 8017 9434062 allow ip from any to any ipsec 00400 8017 9273722 allow ip from any to any via gif0 00500 0 0 check-state 00510 14033 10435476 allow ip from any to any via xl0 out keep-state 00600 0 0 allow esp from any to me 00610 0 0 allow udp from any to me dst-port 500 00700 0 0 allow ip from any to any via lo0 00710 17115 10937956 allow ip from any to any via vr0 keep-state 01000 0 0 allow tcp from any to any dst-port 22 in keep-state 01010 9 498 allow tcp from any to any dst-port 25 in keep-state 01020 0 0 allow tcp from any to any dst-port 80 in keep-state 02000 0 0 allow icmp from any to any 05000 82 22098 deny log ip from any to any 65535 42 7902 deny ip from any to any I suspect rules 300 & 400 are redundant but I'll work on tuning the filter set next. If anyone is interested in the full details of this setup please let me know and I can provide them. The majority of tweaking had to do with getting the right kernel setup though - after which things worked mostly as expected. Thanks again for everyones help. Aaron