From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 23:15:02 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7BB6E16A401 for ; Wed, 7 Mar 2007 23:15:02 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 15B8A13C478 for ; Wed, 7 Mar 2007 23:15:01 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27NF4QO030190; Wed, 7 Mar 2007 17:15:24 -0600 (CST) Date: Wed, 7 Mar 2007 17:14:37 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: VANHULLEBUS Yvan In-Reply-To: <20070307212442.GA1384@jayce.zen.inc> Message-ID: References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 23:15:02 -0000 On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote: >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). > > If your redirection only works for port 500, it won't be enough, as it > will only allow IKE negociations, not encrypted traffic. > > You'll have to add forwarding for ESP protocol, or use NAT-T patch and > also forward UDP 4500 port. Yeah, I have been trying to figure out how to forward protocols 47, 50 and 51 to the vpns without knowing whether it is successful or not. So, on to nat-t then. > > >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel >> you are suggesting below would help, since NAT is happening on the dsl >> routers. I am guessing my problem is between the vpn server and the dsl >> router's NAT capability. I have done a tcpdump on the gif interface, and >> I can see the ping requests being made across it, but there's no response. >> I don't even know if the traffic is making it beyond the vpn box, let >> alone beyond the dsl modem. > > The NAT-T patch I was talking about adds the kernel part of an *IPSec* > feature: support for NAT-Traversal extension (RFCs 3947 and 3948), > which allows IPSec tunnels to be established if there is some NAT > between IPSec gates. > > This is exactly your setup. Cool. My response above was based on not really understanding how nat played havoc on my vpn design. It sounds like NAT-T is what I should be doing then. Do you know if the patch was included in the 6.1 and 6.2 releases? Or perhaps in current/stable? It would be faster for me to reload, rather than making world; the machines I am working with are amd K6 500mhz cpus, with 186megs of ram. > > The tcpdump on your GIF interface will only show you that FreeBSD > correctly routes the packet to that interface..... > > >> About dynamic ip: The dsl routers have been configured to use the dyndns >> service, and each time the ip address changes, dyndns is updated as well. > > You'll still have the problem "detecting when the peer's IP change". I don't know yet how I will handle this; but I could probably create a script that monitors for change in the ip address, and re-initializes vpn services with the new ip. > > > > Yvan. > > -- > NETASQ > http://www.netasq.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >