From owner-freebsd-net  Mon Jan  7  8: 3:55 2002
Delivered-To: freebsd-net@freebsd.org
Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2])
	by hub.freebsd.org (Postfix) with ESMTP id AF17A37B402
	for <freebsd-net@freebsd.org>; Mon,  7 Jan 2002 08:03:35 -0800 (PST)
Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2653.19)
	id <ZZCPXTC8>; Mon, 7 Jan 2002 11:03:29 -0500
Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D70653AD@rerun.lucentctc.com>
From: "Cambria, Mike" <mcambria@avaya.com>
To: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org>
Subject: Workaround (RE: TCP connection via IPsec machine also running nat
	d)
Date: Mon, 7 Jan 2002 11:03:23 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


I'm able to workaround the problem posted earlier by doing the following:

Since the machine which "eats" the received esp packets after natd is a
router for the subnet making natd necessary, I'm able to connect to this
machine by establishing sessions to any of the IP addresses on the other
side of natd.  It works just fine.

This will suffice until I can figure out how to connect to a socket via a
tunnel endpoint which is also doing natd.

MikeC

 -----Original Message-----
From: 	Cambria, Mike  
Sent:	Friday, January 04, 2002 4:09 PM
To:	'freebsd-net@freebsd.org'
Cc:	Cambria, Mike
Subject:	TCP connection via IPsec machine also running natd


I'm having problems connecting (e.g. telnet, ssh, ftp etc.) to a machine
which is at the other end of an IPsec tunnel.  Passing data with machines,
via this tunnel, on subnets for which the tunnel endpoint is acting as a
router work just fine.

I'm using FreeBSD 4.4-Stable (cvsup'ed shortly after 4.4-Release) and have
an IPsec tunnel from one subnet at home to a machine at a friends house.
The subnet at home is behind ipfw/natd and uses a cable modem (i.e. one IP
address) to access the Internet.  I'm using ipfw "simple" with one addition
to allow incoming TCP traffic from the friends machine (also FreeBSD 4.4).

This _works_ fine for traffic to/from the subnet.  Encrypted packets hit
divert, get counted on the ipfw allow esp rule, are decrypted and are then
routed to the destination machine and vice versa.

Problems exist only with traffic from the remote (friends) machine that
terminates at the ipfw/natd machine itself.  The IKE (racoon) ISAKMP-SA is
established just fine, an IPsec-SA is established for both directions and
the remote machine sends the (e.g.) telnet traffic encrypted.   The counters
for ipfw show the packet hitting the divert rule and esp packet has been
received.   However, the connection never seems to make it to telnetd.
Before setting up IPsec, this worked just fine.

I tried again using the sock program (see Unix Network Programming, Vol. 1
2ed ) to have more control, rule out inted etc. with the same results.
sock -s <ip address> <port> never returns form the listen call.

As I said earlier, packets which route through ipfw/natd get unencrypted and
make it to the remote subnet just fine. 

Looking at   'ipfw -a l'   it seems that the ESP packets are being received
_after_ being diverted to natd, but just 
not sent to the socket:


[deleted]
01600 20 4384 divert 8668 ip from any to any via vx0
01700  0    0 deny ip from 10.0.0.0/8 to any via vx0
01800  0    0 deny ip from 172.16.0.0/12 to any via vx0
01900  0    0 deny ip from 192.168.0.0/16 to any via vx0
02000  0    0 deny ip from 0.0.0.0/8 to any via vx0
02100  0    0 deny ip from 169.254.0.0/16 to any via vx0
02200  0    0 deny ip from 192.0.2.0/24 to any via vx0
02300  0    0 deny ip from 224.0.0.0/4 to any via vx0
02400  0    0 deny ip from 240.0.0.0/4 to any via vx0
02500 19 4272 allow tcp from any to any established  (an ssh session I have
up to gather info on one PC)
02600  0    0 allow ip from any to any frag
02700  0    0 allow udp from any to any 500
02800  0    0 allow udp from any 500 to any
02900  1  112 allow esp from any to any     (the encrypted packet)

[deleted]

03500   0     0 allow tcp from <friends ip address> to <my ip address> setup

[rest deleted]

Any thoughts on where to look next?   I don't see any counters for "deny"
rules going up, so I'm guessing that the unencrypted packet isn't getting
dropped due to one of my ipfw rules.  I also notice that the counter on my
firewall rule which explicitly allows session setup from my friends machine
is not incrementing.
Any help appreciated.

Thanks,
MikeC



Michael C. Cambria           Avaya Inc.
Consulting Engineer           Former Enterprise Networks Group
voice: (978) 287 - 2807        of Lucent Technologies
  fax: (978) 381 - 6415      300 Baker Avenue
email: mcambria@avaya.com <mailto:mcambria@avaya.com>     Concord,
Massachusetts 01742


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message