Date: Wed, 7 Mar 2007 17:22:08 -0600 (CST) From: Robert Johannes <rjohanne@piper.hamline.edu> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router Message-ID: <Pine.LNX.4.64.0703071718220.3635@wnk.hamline.edu> In-Reply-To: <45EF2EFF.5080407@tomjudge.com> References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu> <20070307170617.GA2799@zen.inc> <Pine.LNX.4.64.0703071146580.3635@wnk.hamline.edu> <45EF2EFF.5080407@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >>> >>>> My situations is rather unique, and I am needing an expert's eyes to >>>> glance at it and confirm whether it is doable or not. I have a simple >>>> diagram that illustrates what I am trying to do, and it is located here >>>> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg >>> >>> I'm not sure I understood exactly what you want to do, but I think >>> your setup is really common. >>> >>> >>>> In the diag, the dsl modems have dynamic public ips on the internet side, >>>> and private ips on the lan side. >>> >>> If both DSL modems have dynamic IPs, you'll have a first problem: >>> being able to know the correct IP of your peer, then a second problem: >>> being able to detect when peer's IP change. >>> >>> I'll consider you are able to do that. >>> >>> >>>> As you can see in the diag, I am trying to have the vpn traffic from the >>>> internet forwarded to the Freebsd vpn (the machines ending in .254 on >>>> each >>>> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and >>>> created a tunnel between the two vpn servers; according to the handbook, >>>> I >>>> should be able to ping the vpn servers using their private network >>>> addresses, but I am not able to do that. I realize that my >>>> implementation >>>> is not exactly like the handbook's, but what do I need to do to get it to >>>> work? I have googled, and researched all over the net without much >>>> progress. >>>> >>>> I have seen a lot of messages related to nat and enabling vpn passthrough >>>> on different dsl modems and so forth, which I have tried to do, but >>>> still, >>>> no progress. >>> >>> Some informations: >>> >>> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just >>> forget that part and use directly IPSec tunnels without Gif >>> interfaces. >>> >>> - You'll probably need NAT-T support so your VPN tunnel will be more >>> likely to work (well, it may work without NAT-T, but it is more >>> complex and needs lots of constraints between both FreeBSD gates). >>> Make a quick seach on freebsd-net, get the kernel patch from >>> http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel >>> with NAT-T support, reinstall your world, then recompile/reinstall >>> ipsec-tools port. >>> >>> - When your tunnel will be up, you'll probably want to lower the >>> TCPMSS for traffic which goes through the tunnel, but this is >>> another story :-) >>> >>> >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). >> >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel you >> are suggesting below would help, since NAT is happening on the dsl routers. >> I am guessing my problem is between the vpn server and the dsl router's NAT >> capability. I have done a tcpdump on the gif interface, and I can see the >> ping requests being made across it, but there's no response. I don't even >> know if the traffic is making it beyond the vpn box, let alone beyond the >> dsl modem. >> >> About dynamic ip: The dsl routers have been configured to use the dyndns >> service, and each time the ip address changes, dyndns is updated as well. >> >> So, any other insight into this situation? > > If you are using IPSec with ESP as per the handbook you will need to NAT the > ESP packets back to the internal VPN routers. As ESP is IP payload protocol > not a TCP/UDP payload protocol, your DSL router will probably not be able to > do this. Looking into adding nat-t to ipsec as we speak. > > I would suggest you go with Yvan's suggestion of doing away with gif and > adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP > based vpn solution such as openvpn (in ports and http://openvpn.net/) which > will be fully compatible with you nat setup, openvpn will also be tolerant to > remote end points changing ip address half while the vpn link is active, > comes in hand when used in combination with a dynamic dns service). As far as openvpn goes, I looked into it in October or Nov. last year, and it seemed not to be very scalable; I have 6 different offices that all need to connect and chat with each other, and it didn't seem like openvpn would allow for this to happen. I didn't investigate it much beyond that when I learned that. robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0703071718220.3635>