From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 21:24:43 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 855D216A400 for ; Wed, 7 Mar 2007 21:24:43 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 1892613C4AC for ; Wed, 7 Mar 2007 21:24:43 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7]) by smtp.zeninc.net (smtpd) with ESMTP id 0BBCE3F17 for ; Wed, 7 Mar 2007 22:24:42 +0100 (CET) Received: by jayce.zen.inc (Postfix, from userid 1000) id 9DE062E16E; Wed, 7 Mar 2007 22:24:42 +0100 (CET) Date: Wed, 7 Mar 2007 22:24:42 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20070307212442.GA1384@jayce.zen.inc> References: <20070307170617.GA2799@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 21:24:43 -0000 On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: > Thanks for your response. My freebsd vpn servers are behind the dsl > routers at each site which. The modems have firewall and NAT turned on. > The vpn servers are part of the local LANs, and I have port-forwarding > setup between the dsl modems and the vpn servers. E.g, when traffic comes > from the internet destined for port 500, I forward that traffic to the vpn > servers (192.168.x.254 on the diagram). If your redirection only works for port 500, it won't be enough, as it will only allow IKE negociations, not encrypted traffic. You'll have to add forwarding for ESP protocol, or use NAT-T patch and also forward UDP 4500 port. > The freebsd servers are not running a firewall or NAT at this point. I > don't think they need to run NAT, but I haven't decided on the firewall > yet. > > So, given that situation, I don't know if the NAT changes to the kernel > you are suggesting below would help, since NAT is happening on the dsl > routers. I am guessing my problem is between the vpn server and the dsl > router's NAT capability. I have done a tcpdump on the gif interface, and > I can see the ping requests being made across it, but there's no response. > I don't even know if the traffic is making it beyond the vpn box, let > alone beyond the dsl modem. The NAT-T patch I was talking about adds the kernel part of an *IPSec* feature: support for NAT-Traversal extension (RFCs 3947 and 3948), which allows IPSec tunnels to be established if there is some NAT between IPSec gates. This is exactly your setup. The tcpdump on your GIF interface will only show you that FreeBSD correctly routes the packet to that interface..... > About dynamic ip: The dsl routers have been configured to use the dyndns > service, and each time the ip address changes, dyndns is updated as well. You'll still have the problem "detecting when the peer's IP change". Yvan. -- NETASQ http://www.netasq.com