Date: Wed, 7 Mar 2007 17:14:37 -0600 (CST) From: Robert Johannes <rjohanne@piper.hamline.edu> To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router Message-ID: <Pine.LNX.4.64.0703071701360.3635@wnk.hamline.edu> In-Reply-To: <20070307212442.GA1384@jayce.zen.inc> References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu> <20070307170617.GA2799@zen.inc> <Pine.LNX.4.64.0703071146580.3635@wnk.hamline.edu> <20070307212442.GA1384@jayce.zen.inc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). > > If your redirection only works for port 500, it won't be enough, as it > will only allow IKE negociations, not encrypted traffic. > > You'll have to add forwarding for ESP protocol, or use NAT-T patch and > also forward UDP 4500 port. Yeah, I have been trying to figure out how to forward protocols 47, 50 and 51 to the vpns without knowing whether it is successful or not. So, on to nat-t then. > > >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel >> you are suggesting below would help, since NAT is happening on the dsl >> routers. I am guessing my problem is between the vpn server and the dsl >> router's NAT capability. I have done a tcpdump on the gif interface, and >> I can see the ping requests being made across it, but there's no response. >> I don't even know if the traffic is making it beyond the vpn box, let >> alone beyond the dsl modem. > > The NAT-T patch I was talking about adds the kernel part of an *IPSec* > feature: support for NAT-Traversal extension (RFCs 3947 and 3948), > which allows IPSec tunnels to be established if there is some NAT > between IPSec gates. > > This is exactly your setup. Cool. My response above was based on not really understanding how nat played havoc on my vpn design. It sounds like NAT-T is what I should be doing then. Do you know if the patch was included in the 6.1 and 6.2 releases? Or perhaps in current/stable? It would be faster for me to reload, rather than making world; the machines I am working with are amd K6 500mhz cpus, with 186megs of ram. > > The tcpdump on your GIF interface will only show you that FreeBSD > correctly routes the packet to that interface..... > > >> About dynamic ip: The dsl routers have been configured to use the dyndns >> service, and each time the ip address changes, dyndns is updated as well. > > You'll still have the problem "detecting when the peer's IP change". I don't know yet how I will handle this; but I could probably create a script that monitors for change in the ip address, and re-initializes vpn services with the new ip. > > > > Yvan. > > -- > NETASQ > http://www.netasq.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0703071701360.3635>