Date: Fri, 4 May 2001 18:35:40 -0700 From: steve@Watt.COM (Steve Watt) To: Jamie Hermans <dev-null@hermans.ca>, questions@freebsd.org Subject: Re: VPN solutions ... using IPSEC *AND* NAT Message-ID: <200105050135.f451ZeA13406@wattres.Watt.COM> In-Reply-To: Jamie Hermans <dev-null@hermans.ca> "Re: VPN solutions ... using IPSEC *AND* NAT" (May 4, 19:13)
next in thread | previous in thread | raw e-mail | index | archive | help
[ top post rearranged ] On May 4, 19:13, Jamie Hermans wrote: } On Fri, 4 May 2001 15:44:56 -0700, steve@Watt.COM (Steve Watt) wrote: } >In article <000001c0d46e$2feb6160$6419a8c0@jamie> freebsd@hermans.ca wrote: } >>Has anyone been successful getting IPSEC and NAT to play nicely together? } } >>Any pointers would be GREATLY appreciated. } > } >Is the machine that's doing NAT the same as the machine doing IPsec? } It's an all-in-one server. FreeBSD 4.3 - everything standard. } } If I 'setkey -F && setkey -FP', then I can see the other side of the } VPN, but I believe this removes all the security that I want IPSEC } for? } } Oh ... and I'm using IPFW, not IPFILTER. Now that sounds a whole bunch like my setup. Identical, in fact. There are two gotchas: If you pass traffic through natd in the order the cookbook says to, it appears (to me) that ESP traffic doesn't make it. I.e. if you say add 200 divert natd all from any to any via xl0 Suddenly ESP stops working. I fixed that by making the rules more specific: add 200 divert natd all from any to my.external.inet.addr via xl0 add 200 divert natd all from my.internal.net to any via xl0 Probably not optimal, but close. However, due to the way IPsec reinjects packets, it appears that packets *post* IPsec processing are reinjected as if they had just been received via the same interface. Therefore anti-spoofing rules (i.e. add 150 deny all from my.remote.internal.net to any via xl0) doesn't let IPsec packets through. Someone suggested net.inet.ip.check_interface, but as far as I can tell from reading the source, the machine in question can *not* be acting as a gateway for that to work, which isn't terribly useful. I fixed it by placing filters on my ingress router (happens to be a DSL to ethernet router) that drop spoofed packets outside, but that wouldn't work if I had my Northpoint DSL config, or a T1 that directly terminated on my FreeBSD box. Anyone else playing in this area? Is there a better mailing list for this? -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105050135.f451ZeA13406>