Date: Sun, 17 Dec 2000 15:52:41 +1100 From: Dominic Marshall <Dominic.Marshall@kesoftware.com> To: freebsd-questions@FreeBSD.ORG Subject: IPSEC, NATD & IPFW Message-ID: <3A3C4699.EA2703E9@kesoftware.com>
next in thread | raw e-mail | index | archive | help
Hi there, I have a home network made up of a free BSD box and a Windows PC. This network runs on 192.168.1.0/24 range. The free BSD box is running ipfw and natd so that I can communicate with the outside world through the one IP address that I have been allocated from my ISP. I have set up an ipsec tunnel between my free BSD box and home and another at work. Everything is running smoothly except for one minor problem. I have no difficulty connecting to my work machines from the Windows PC but I am unable to do so from the free BSD Box. I have viewed natd -v and the Free BSD Box uses the allocated IP address and has no translations while the PC has its internal address (192.168.1.2) translated. If I remove the natd divert rule from my firewall then I am able to connect to my work machines from the Free BSD box and not for the PC (as expected). I have tested individual parts of teh system ie ipfw by itself, then with ipsec and then with natd. Everyting runs fine until I run all three and the problem only occurs with the internal free BSD machine. Running tcpdump and natd -v show that the ESP tunnel is passing the packets correctly. The problem is that my end times out when I try to connect to work even though the packets are being transferred. Having waited nearly a week on this I am now appealing to higher authorities for some assistance. I am running Release 4.1.1 and am using the following configurations: (IP addresses have been changed for obvious reasons) spdadd 209.58.6.0/24 209.5.53.22 any -P in ipsec esp/tunnel/209.58.6.4-209.5.53.22/require; spdadd 209.5.53.22 209.58.6.0/24 any -P out ipsec esp/tunnel/209.5.53.22-209.58.6.4/require; add 209.58.6.4 209.5.53.22 esp 0x10001 -m tunnel -E blowfish-cbc "1234567" -A hmac-md5 "6543210987654321" ; add 209.5.53.22 209.58.6.4 esp 0x10002 -m tunnel -E blowfish-cbc "7654321" -A hmac-md5 "1234567890123456" ; ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:c0:26:30:02:c2 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524 inet 209.5.53.22 --> 209.5.53.7 netmask 0xffffff00 Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 209.5.53.7 UGSc 4 121 ppp0 127.0.0.1 127.0.0.1 UH 1 41 lo0 192.168.1 link#1 UC 0 0 ed0 => 192.168.1.1 0:c0:26:30:2:c2 UHLW 0 0 lo0 192.168.1.2 0:0:21:27:8d:d2 UHLW 2 80 ed0 254 209.5.53.7 209.5.53.22 UH 1 0 ppp0 209.5.53.22 127.0.0.1 UH 0 0 lo0 natd_enable="YES" natd_interface="ppp0" natd_flags="-u -dynamic" # Stop spoofing ${fwcmd} add deny log all from 192.168.1.0/24 to any in via ppp0 ${fwcmd} add deny log all from 209.5.53.22 to any in via ppp0 # # Make sure that none of our packets go out # ${fwcmd} add deny log all from 192.168.1.0/24 to 192.168.1.0/24 out via ppp0 # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif} # Allow TCP outgoing connections ${fwcmd} add pass tcp from 209.5.53.22 to any setup ${fwcmd} add pass tcp from 192.168.1.0/24 to any setup # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow TCP incoming connections from work ${fwcmd} add pass all from 209.58.6.0/24 to 209.5.53.22 # Allow all our local network packets through ${fwcmd} add pass all from 192.168.1.0/24 to 192.168.1.0/24 # Allow ICMP packets to pass through ${fwcmd} add pass icmp from any to any # Allow setup of incoming email ${fwcmd} add pass tcp from any to 209.5.53.22 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to 209.5.53.22 53 setup ${fwcmd} add pass udp from any to 209.5.53.22 53 ${fwcmd} add pass udp from 209.5.53.22 53 to any # Allow DNS queries out in the world ${fwcmd} add pass udp from 209.5.53.22 to any 53 ${fwcmd} add pass udp from any 53 to 209.5.53.22 # Allow routed packets to us ${fwcmd} add pass tcp from any to 209.5.53.22 520 setup ${fwcmd} add pass udp from any to 209.5.53.22 520 ${fwcmd} add pass udp from 209.5.53.22 520 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to 209.5.53.22 80 setup # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ${fwcmd} add reset log tcp from any to any ${fwcmd} add reject log udp from any to any ${fwcmd} add reject log all from any to any ;; Has anyone experienced this problem. If so, how can my configuration be changed so the my free BSD box can connect directly to my work machines? Thanks in anticipation, Dominic To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A3C4699.EA2703E9>