Date: Fri, 27 Oct 2000 19:57:22 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: "Michael C. Cambria" <cambria@mcambria.ne.mediaone.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPSec (ESP) tunnel through ipfw/natd Message-ID: <20001027195722.E75251@149.211.6.64.reflexcom.com> In-Reply-To: <200010271451.KAA00530@mcambria.noddler.com>; from cambria@mcambria.ne.mediaone.net on Fri, Oct 27, 2000 at 10:51:36AM -0400 References: <200010271451.KAA00530@mcambria.noddler.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 27, 2000 at 10:51:36AM -0400, Michael C. Cambria wrote: > > Hi, > > I'm trying to use my laptop IPSec client to reach work from my home LAN. > > The LAN uses FreeBSD ipfw/natd to map my private IP addresses to the one > address supplied by the cable modem ISP via DHCP. I use rc.firewall as > supplied with the type being OPEN (e.g. I'm just using NATD, no firewall.) > > The laptop can only use IPSec in tunnel mode (corporate policy.) However, > it does use ESP only, no AH. Should I be able to tunnel through ipfw/natd > with the OPEN rc.firewall rules? Do I need to add any? The archives > turned up something about passing esp, but since OPEN passes "all", I do > not think this applies to my situation. > > At present, I only want to allow the laptop on the LAN to tunnel through > my FreeBSD machine. Funny you should ask. I just tested this for someone at work last night. I was connecting through a FreeBSD firewall/NAT machine between a IPsec enabled Cisco router and the Cisco "client[0]" software on a Win95 notebook from the office. They wanted to see if it would work through NAT. It worked fine. I must admit, all I did was setup the FreeBSD firewall and NAT box, the person I was testing for configured the ends of the tunnel. One thing I did notice later reviewing the libalias code, however. FreeBSD has no special code to support multiple IPsec connections behind a NAT box. Right now, only one ESP "connection" will work at a time. It actually would not be too tough to make it work that way (using the uniqueness of the SA). Anyone else be interested? [0] An IPsec tunnel is actually a peer-to-peer protocol. One machine initiates the key exchange, but ESP itself has no such distinction. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001027195722.E75251>