From owner-freebsd-security@FreeBSD.ORG  Sat Apr  3 11:01:59 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2CF2E16A4CE
	for <freebsd-security@freebsd.org>;
	Sat,  3 Apr 2004 11:01:59 -0800 (PST)
Received: from you.fuckup.org (you.fuckup.org [216.150.215.69])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C097743D45
	for <freebsd-security@freebsd.org>;
	Sat,  3 Apr 2004 11:01:58 -0800 (PST)
	(envelope-from stephen@sonn.com)
Received: from you.fuckup.org (stanley@localhost [127.0.0.1])
	by you.fuckup.org (8.12.9p2/8.12.9) with ESMTP id i33J1vTO046348;
	Sat, 3 Apr 2004 12:01:57 -0700 (MST)
	(envelope-from stephen@sonn.com)
Received: (from stain@localhost)
	by you.fuckup.org (8.12.9p2/8.12.8/Submit) id i33J1uLs046347;
	Sat, 3 Apr 2004 12:01:56 -0700 (MST)
	(envelope-from stephen@sonn.com)
X-Authentication-Warning: you.fuckup.org: stain set sender to stephen@sonn.com
	using -f
Date: Sat, 3 Apr 2004 12:01:56 -0700
From: Stephen Rozzo <stephen@sonn.com>
To: freebsd-security@freebsd.org
Message-ID: <20040403190156.GA45280@sonn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.4.1i
X-PGP-PubKey: http://www.kaosol.net/~stain/pubkey.asc
X-PGP-Fingerprint: BCED 4293 BD7B 4C05 AB1E  3F61 15ED 3FFC 9C8A 39C6
X-Virus-Scanned: by amavisd-new
Subject: IPSec Racoon and Port Forwarding
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Apr 2004 19:01:59 -0000

Hello,

	I have given myself quite the headache trying to make this VPN work correc=
tly. I am attempting to use racoon to establish keys and construct an encry=
pted tunnel between one host(A.A.A.A) with a routable IP address and anothe=
r that has a private address(10.0.0.2) with a cable modem(B.B.B.B) forwardi=
ng all ports to the private address(10.0.0.2). Here is a quick topographic =
dipiction of the infastructure:=20

                    =20
                     192.168.121.0/24=09
                    ------------------
                            |
                            |
                       _____|_____=20
                      |           |priv_int 192.168.121.253
       VPN Gateway(1) |           |
                      |___________|pub_int A.A.A.A
                            |
                      ~~~~~~~~~~~~~
                         Internet
                      ~~~~~~~~~~~~~
                       _____|_____
                      |           |
         Cable Modem  |           |pub_int B.B.B.B(forwarded to 10.0.0.2)=
=20
                      |___________|
                       _____|_____ =20
                      |           |pub/priv_int 10.0.0.2
       VPN Gateway(2) |           |
                      |___________|priv_int 192.168.122.254=20
                            |
                            |
                            |
                    ------------------
                     192.168.122.0/24


Here is what I have in ipsec.conf on VPN Gateway (1):
flush;
spdflsuh;
spdadd A.A.A.A/32 B.B.B.B/32 ipencap -P out ipsec esp/tunnel/A.A.A.A-B.B.B.=
B/require;
spdadd B.B.B.B/32 A.A.A.A/32 ipencap -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A=
/require;

ifconfig output:

dc0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.121.253 netmask 0xffffff00 broadcast 192.168.121.255
        ether 00:a0:cc:d1:a2:df
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
dc1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet A.A.A.A netmask 0xfffffff8 broadcast 216.160.154.159
        ether 00:a0:cc:62:f0:6a
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gif1: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet A.A.A.A --> B.B.B.B=20
        inet 192.168.121.253 --> 192.168.122.254 netmask 0xffffffff


VPN Gateway 2(10.0.0.1) ipsec.conf:
spdadd 0.0.0.0/0 A.A.A.A/32 ipencap -P out ipsec esp/tunnel/10.0.0.2-A.A.A.=
A/require;
spdadd A.A.A.A/32 0.0.0.0/0 ipencap -P in ipsec esp/tunnel/A.A.A.A-10.0.0.2=
/require;

ifconfig output:
bge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D3<RXCSUM,TXCSUM>
        inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
        ether 00:0e:7f:ff:0e:0c
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active
xl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D3<RXCSUM,TXCSUM>
        inet 192.168.122.254 netmask 0xffffff00 broadcast 192.168.122.255
        ether 00:04:75:8b:80:ce
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gif0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 10.0.0.2 --> A.A.A.A=20
        inet 192.168.122.254 --> 192.168.121.253 netmask 0xffffffff

Until I instate a SP for these two hosts I can pass traffic back and forth =
to both private subnets (192.168.X.X) just fine. Once I read in these ipsec=
 policies I can not get any traffic back and forth.. Any suggestions? I loo=
ked numerous places and found no one else documenting problems or success.


Thanks