From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 21:55:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4E2A16A404 for ; Wed, 7 Mar 2007 21:55:24 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp803.mail.ird.yahoo.com (smtp803.mail.ird.yahoo.com [217.146.188.63]) by mx1.freebsd.org (Postfix) with SMTP id 4A77C13C441 for ; Wed, 7 Mar 2007 21:55:24 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 78678 invoked from network); 7 Mar 2007 21:28:43 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@81.157.42.3 with plain) by smtp803.mail.ird.yahoo.com with SMTP; 7 Mar 2007 21:28:43 -0000 X-YMail-OSG: pC0klVYVM1mrEMkHDHVooi.9O7G.7zxub980BHsBdE8R4tmAB76pNUzQLoG9EiwS7M297oBRAu09JNmjrBAyalMsGVlw2Z6u2P8QGD.PTaCijCCJrZA1z7nZFykabg-- Message-ID: <45EF2EFF.5080407@tomjudge.com> Date: Wed, 07 Mar 2007 21:30:39 +0000 From: Tom Judge User-Agent: Thunderbird 1.5.0.9 (X11/20070104) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20070307170617.GA2799@zen.inc> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 21:55:25 -0000 Robert Johannes wrote: > On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > >> >>> My situations is rather unique, and I am needing an expert's eyes to >>> glance at it and confirm whether it is doable or not. I have a simple >>> diagram that illustrates what I am trying to do, and it is located here >>> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg >> >> I'm not sure I understood exactly what you want to do, but I think >> your setup is really common. >> >> >>> In the diag, the dsl modems have dynamic public ips on the internet >>> side, >>> and private ips on the lan side. >> >> If both DSL modems have dynamic IPs, you'll have a first problem: >> being able to know the correct IP of your peer, then a second problem: >> being able to detect when peer's IP change. >> >> I'll consider you are able to do that. >> >> >>> As you can see in the diag, I am trying to have the vpn traffic from the >>> internet forwarded to the Freebsd vpn (the machines ending in .254 on >>> each >>> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, >>> and >>> created a tunnel between the two vpn servers; according to the >>> handbook, I >>> should be able to ping the vpn servers using their private network >>> addresses, but I am not able to do that. I realize that my >>> implementation >>> is not exactly like the handbook's, but what do I need to do to get >>> it to >>> work? I have googled, and researched all over the net without much >>> progress. >>> >>> I have seen a lot of messages related to nat and enabling vpn >>> passthrough >>> on different dsl modems and so forth, which I have tried to do, but >>> still, >>> no progress. >> >> Some informations: >> >> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just >> forget that part and use directly IPSec tunnels without Gif >> interfaces. >> >> - You'll probably need NAT-T support so your VPN tunnel will be more >> likely to work (well, it may work without NAT-T, but it is more >> complex and needs lots of constraints between both FreeBSD gates). >> Make a quick seach on freebsd-net, get the kernel patch from >> http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel >> with NAT-T support, reinstall your world, then recompile/reinstall >> ipsec-tools port. >> >> - When your tunnel will be up, you'll probably want to lower the >> TCPMSS for traffic which goes through the tunnel, but this is >> another story :-) >> >> > Thanks for your response. My freebsd vpn servers are behind the dsl > routers at each site which. The modems have firewall and NAT turned on. > The vpn servers are part of the local LANs, and I have port-forwarding > setup between the dsl modems and the vpn servers. E.g, when traffic > comes from the internet destined for port 500, I forward that traffic to > the vpn servers (192.168.x.254 on the diagram). > > The freebsd servers are not running a firewall or NAT at this point. I > don't think they need to run NAT, but I haven't decided on the firewall > yet. > > So, given that situation, I don't know if the NAT changes to the kernel > you are suggesting below would help, since NAT is happening on the dsl > routers. I am guessing my problem is between the vpn server and the dsl > router's NAT capability. I have done a tcpdump on the gif interface, > and I can see the ping requests being made across it, but there's no > response. I don't even know if the traffic is making it beyond the vpn > box, let alone beyond the dsl modem. > > About dynamic ip: The dsl routers have been configured to use the dyndns > service, and each time the ip address changes, dyndns is updated as well. > > So, any other insight into this situation? If you are using IPSec with ESP as per the handbook you will need to NAT the ESP packets back to the internal VPN routers. As ESP is IP payload protocol not a TCP/UDP payload protocol, your DSL router will probably not be able to do this. I would suggest you go with Yvan's suggestion of doing away with gif and adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP based vpn solution such as openvpn (in ports and http://openvpn.net/) which will be fully compatible with you nat setup, openvpn will also be tolerant to remote end points changing ip address half while the vpn link is active, comes in hand when used in combination with a dynamic dns service). Tom o unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"