From owner-freebsd-net@FreeBSD.ORG Fri Oct 29 03:17:38 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77DED16A4CE for ; Fri, 29 Oct 2004 03:17:38 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3FA843D49 for ; Fri, 29 Oct 2004 03:17:37 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 64so584007wri for ; Thu, 28 Oct 2004 20:17:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=UddPe/zEdqWI+H0yw2zoGOnzkqzk4BN4lHHbjICggOeFBQ4/k2kWi0MZp0dnrVMTsgf9sQxXv0wxBIGXmfo69lbtmg4QmuePl3/61ZPS+5HycfVqtEZPRZNo6YpFAEvix2MpIjGyEAjpoLhmvWLhJbMN1pgJCFns6P/2G7Hbd6k= Received: by 10.54.26.24 with SMTP id 24mr149830wrz; Thu, 28 Oct 2004 20:17:30 -0700 (PDT) Received: by 10.54.35.52 with HTTP; Thu, 28 Oct 2004 20:17:30 -0700 (PDT) Message-ID: Date: Thu, 28 Oct 2004 20:17:30 -0700 From: Aaron Nichols To: "Nickolay A. Kritsky" In-Reply-To: <62721446609.20041028214724@star-sw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <62721446609.20041028214724@star-sw.com> cc: freebsd-net@freebsd.org Subject: Re: Problems with NAT on gif interface for VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Oct 2004 03:17:38 -0000 On Thu, 28 Oct 2004 21:47:24 +0400, Nickolay A. Kritsky wrote: > Hello Aaron, > > Please make sure that you have option IPSEC_FILTERGIF in your kernel. > See LINT and -net archives for more details. Thanks for the hint - and that makes more sense, however I think I'm still in the same position. Rather than a "problem" with ipfw however, I think I've got a fundamental problem with how to do this. If I understand correctly, in order for natd to "reverse" a divert rule (translate the destination IP back to the original IP on return traffic) the packet has to come through the same interface it was originally seen by natd on - is this correct? For whatever reason I still seem to be unable to use gif0 for this purpose, which seems to be the closest thing to an "ipsec interface" available (I'm beginning to think it's nowhere near as useful as enc0 on OpenBSD). Thus, I'm stuck translating packets when they either enter the LAN interface or leave the WAN, the former seems the best option. The problem I have however, is that if I apply the divert rule on vr0 (LAN) then the return traffic is never transmitted out vr0 and thus never gets translated back (I assume it's dropped somewhere earlier in the process). I tried using a 'fwd' rule to push return traffic out vr0 on the return trip but that seems to have been fruitless. On Cisco routers I know you can do some interesting nat tricks by using policy routing and forcing VPN traffic to an intermediate loopback interface so that all VPN traffic goes in/out the same interface before being delivered to its ultimate destination. Can I do something similar on FreeBSD? For example: Lan to Remote site: PC -> vr0 -> some_int0 -> ipsec -> xl0 ... Remote site reponse traffic: xl0 -> ipsec -> some_int0 -> vr0 -> PC Thus, all traffic would go in/out of 'some_int0' and I could apply divert rules there correctly. I apologize if this doesn't make any sense to those who understand the system - evidently I don't have a strong enough understand of the processing order to piece this together myself. At this point I think the relevant question is - does anyone know if this is possible and have any pointers to a working configuration? Thanks again for your time and patience. Aaron