Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Dec 2000 15:52:41 +1100
From:      Dominic Marshall <Dominic.Marshall@kesoftware.com>
To:        freebsd-questions@FreeBSD.ORG
Subject:   IPSEC, NATD & IPFW
Message-ID:  <3A3C4699.EA2703E9@kesoftware.com>

next in thread | raw e-mail | index | archive | help
Hi there,

I have a home network made up of a free BSD box and a Windows PC. This
network runs on 192.168.1.0/24 range. The free BSD box is running ipfw
and natd so that I can communicate with the outside world through the
one IP address that I have been allocated from my ISP.

I have set up an ipsec tunnel between my free BSD box and home and
another at work. Everything is running smoothly except for one minor
problem. I have no difficulty connecting to my work machines from the
Windows PC but I am unable to do so from the free BSD Box.

I have viewed natd -v and the Free BSD Box uses the allocated IP address
and has no translations while the PC has its internal address
(192.168.1.2) translated. If I remove the natd divert rule from my
firewall then I am able to connect to my work machines from the Free BSD
box and not for the PC (as expected).

I have tested individual parts of teh system ie ipfw by itself, then
with ipsec and then with natd. Everyting runs fine until I run all three
and the problem only occurs with the internal free BSD machine. Running
tcpdump and natd -v show that the ESP tunnel is passing the packets
correctly. The problem is that my end times out when I try to connect to
work even though the packets are being transferred.

Having waited nearly a week on this I am now appealing to higher
authorities for some assistance.

I am running Release 4.1.1 and am using the following configurations:
(IP addresses have been changed for obvious reasons)

spdadd 209.58.6.0/24 209.5.53.22 any -P in ipsec
 esp/tunnel/209.58.6.4-209.5.53.22/require;
spdadd 209.5.53.22 209.58.6.0/24 any -P out ipsec
 esp/tunnel/209.5.53.22-209.58.6.4/require;
add 209.58.6.4 209.5.53.22 esp 0x10001 -m tunnel
 -E blowfish-cbc "1234567"
 -A hmac-md5 "6543210987654321" ;
add 209.5.53.22 209.58.6.4 esp 0x10002 -m tunnel
 -E blowfish-cbc "7654321"
 -A hmac-md5 "1234567890123456" ;

ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
 ether 00:c0:26:30:02:c2
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
 inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524
 inet 209.5.53.22 --> 209.5.53.7 netmask 0xffffff00

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif
Expire
default               209.5.53.7         UGSc      4      121      ppp0
127.0.0.1          127.0.0.1           UH          1       41       lo0
192.168.1         link#1                 UC          0        0
ed0 =>
192.168.1.1      0:c0:26:30:2:c2   UHLW    0        0        lo0
192.168.1.2      0:0:21:27:8d:d2   UHLW    2       80      ed0    254
209.5.53.7        209.5.53.22        UH          1        0       ppp0
209.5.53.22      127.0.0.1            UH          0        0       lo0

natd_enable="YES"
natd_interface="ppp0"
natd_flags="-u -dynamic"

 # Stop spoofing
 ${fwcmd} add deny log all from 192.168.1.0/24 to any in via ppp0
 ${fwcmd} add deny log all from 209.5.53.22 to any in via ppp0

 #
 # Make sure that none of our packets go out
 #
 ${fwcmd} add deny log all from 192.168.1.0/24 to 192.168.1.0/24 out via
ppp0

 # Network Address Translation.  This rule is placed here deliberately
 # so that it does not interfere with the surrounding address-checking
 # rules.
 case ${natd_enable} in
 [Yy][Ee][Ss])
  if [ -n "${natd_interface}" ]; then
   ${fwcmd} add divert natd all from any to any via ${natd_interface}
  fi
  ;;
 esac

 # Stop RFC1918 nets on the outside interface
 ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
 ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
 ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}

 # Allow TCP outgoing connections
 ${fwcmd} add pass tcp from 209.5.53.22 to any setup
 ${fwcmd} add pass tcp from 192.168.1.0/24 to any setup

 # Allow TCP through if setup succeeded
 ${fwcmd} add pass tcp from any to any established

 # Allow TCP incoming connections from work
 ${fwcmd} add pass all from 209.58.6.0/24 to 209.5.53.22

 # Allow all our local network packets through
 ${fwcmd} add pass all from 192.168.1.0/24 to 192.168.1.0/24

 # Allow ICMP packets to pass through
 ${fwcmd} add pass icmp from any to any

 # Allow setup of incoming email
 ${fwcmd} add pass tcp from any to 209.5.53.22 25 setup

 # Allow access to our DNS
 ${fwcmd} add pass tcp from any to 209.5.53.22 53 setup
 ${fwcmd} add pass udp from any to 209.5.53.22 53
 ${fwcmd} add pass udp from 209.5.53.22 53 to any

 # Allow DNS queries out in the world
 ${fwcmd} add pass udp from 209.5.53.22 to any 53
 ${fwcmd} add pass udp from any 53 to 209.5.53.22

 # Allow routed packets to us
 ${fwcmd} add pass tcp from any to 209.5.53.22 520 setup
 ${fwcmd} add pass udp from any to 209.5.53.22 520
 ${fwcmd} add pass udp from 209.5.53.22 520 to any

 # Allow access to our WWW
 ${fwcmd} add pass tcp from any to 209.5.53.22 80 setup

 # Everything else is denied by default, unless the
 # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
 # config file.
 ${fwcmd} add reset log tcp from any to any
 ${fwcmd} add reject log udp from any to any
 ${fwcmd} add reject log all from any to any
 ;;

Has anyone experienced this problem. If so, how can my configuration be
changed so the my free BSD box can connect directly to my work machines?

Thanks in anticipation,

Dominic





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A3C4699.EA2703E9>