Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Oct 2000 19:57:22 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        "Michael C. Cambria" <cambria@mcambria.ne.mediaone.net>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: IPSec (ESP) tunnel through ipfw/natd
Message-ID:  <20001027195722.E75251@149.211.6.64.reflexcom.com>
In-Reply-To: <200010271451.KAA00530@mcambria.noddler.com>; from cambria@mcambria.ne.mediaone.net on Fri, Oct 27, 2000 at 10:51:36AM -0400
References:  <200010271451.KAA00530@mcambria.noddler.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 27, 2000 at 10:51:36AM -0400, Michael C. Cambria wrote:
> 
> Hi,
> 
> I'm trying to use my laptop IPSec client to reach work from my home LAN.
> 
> The LAN uses FreeBSD ipfw/natd to map my private IP addresses to the one
> address supplied by the cable modem ISP via DHCP.  I use rc.firewall as 
> supplied with the type being OPEN (e.g. I'm just using NATD, no firewall.)
> 
> The laptop can only use IPSec in tunnel mode (corporate policy.)  However,
> it does use ESP only, no AH.  Should I be able to tunnel through ipfw/natd
> with the OPEN rc.firewall rules?  Do I need to add any?  The archives 
> turned up something about passing esp, but since OPEN passes "all", I do
> not think this applies to my situation.
> 
> At present, I only want to allow the laptop on the LAN to tunnel through
> my FreeBSD machine.

Funny you should ask. I just tested this for someone at work last
night. I was connecting through a FreeBSD firewall/NAT machine between
a IPsec enabled Cisco router and the Cisco "client[0]" software on a
Win95 notebook from the office. They wanted to see if it would work
through NAT.

It worked fine. I must admit, all I did was setup the FreeBSD firewall
and NAT box, the person I was testing for configured the ends of the
tunnel.

One thing I did notice later reviewing the libalias code,
however. FreeBSD has no special code to support multiple IPsec
connections behind a NAT box. Right now, only one ESP "connection"
will work at a time. It actually would not be too tough to make it
work that way (using the uniqueness of the SA). Anyone else be
interested?

[0] An IPsec tunnel is actually a peer-to-peer protocol. One machine
initiates the key exchange, but ESP itself has no such distinction.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001027195722.E75251>