From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 23:22:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4C21516A402 for ; Wed, 7 Mar 2007 23:22:33 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 0BD9713C461 for ; Wed, 7 Mar 2007 23:22:32 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27NMZQO000268; Wed, 7 Mar 2007 17:22:55 -0600 (CST) Date: Wed, 7 Mar 2007 17:22:08 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: Tom Judge In-Reply-To: <45EF2EFF.5080407@tomjudge.com> Message-ID: References: <20070307170617.GA2799@zen.inc> <45EF2EFF.5080407@tomjudge.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 23:22:33 -0000 On Wed, 7 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >>> >>>> My situations is rather unique, and I am needing an expert's eyes to >>>> glance at it and confirm whether it is doable or not. I have a simple >>>> diagram that illustrates what I am trying to do, and it is located here >>>> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg >>> >>> I'm not sure I understood exactly what you want to do, but I think >>> your setup is really common. >>> >>> >>>> In the diag, the dsl modems have dynamic public ips on the internet side, >>>> and private ips on the lan side. >>> >>> If both DSL modems have dynamic IPs, you'll have a first problem: >>> being able to know the correct IP of your peer, then a second problem: >>> being able to detect when peer's IP change. >>> >>> I'll consider you are able to do that. >>> >>> >>>> As you can see in the diag, I am trying to have the vpn traffic from the >>>> internet forwarded to the Freebsd vpn (the machines ending in .254 on >>>> each >>>> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and >>>> created a tunnel between the two vpn servers; according to the handbook, >>>> I >>>> should be able to ping the vpn servers using their private network >>>> addresses, but I am not able to do that. I realize that my >>>> implementation >>>> is not exactly like the handbook's, but what do I need to do to get it to >>>> work? I have googled, and researched all over the net without much >>>> progress. >>>> >>>> I have seen a lot of messages related to nat and enabling vpn passthrough >>>> on different dsl modems and so forth, which I have tried to do, but >>>> still, >>>> no progress. >>> >>> Some informations: >>> >>> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just >>> forget that part and use directly IPSec tunnels without Gif >>> interfaces. >>> >>> - You'll probably need NAT-T support so your VPN tunnel will be more >>> likely to work (well, it may work without NAT-T, but it is more >>> complex and needs lots of constraints between both FreeBSD gates). >>> Make a quick seach on freebsd-net, get the kernel patch from >>> http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel >>> with NAT-T support, reinstall your world, then recompile/reinstall >>> ipsec-tools port. >>> >>> - When your tunnel will be up, you'll probably want to lower the >>> TCPMSS for traffic which goes through the tunnel, but this is >>> another story :-) >>> >>> >> Thanks for your response. My freebsd vpn servers are behind the dsl >> routers at each site which. The modems have firewall and NAT turned on. >> The vpn servers are part of the local LANs, and I have port-forwarding >> setup between the dsl modems and the vpn servers. E.g, when traffic comes >> from the internet destined for port 500, I forward that traffic to the vpn >> servers (192.168.x.254 on the diagram). >> >> The freebsd servers are not running a firewall or NAT at this point. I >> don't think they need to run NAT, but I haven't decided on the firewall >> yet. >> >> So, given that situation, I don't know if the NAT changes to the kernel you >> are suggesting below would help, since NAT is happening on the dsl routers. >> I am guessing my problem is between the vpn server and the dsl router's NAT >> capability. I have done a tcpdump on the gif interface, and I can see the >> ping requests being made across it, but there's no response. I don't even >> know if the traffic is making it beyond the vpn box, let alone beyond the >> dsl modem. >> >> About dynamic ip: The dsl routers have been configured to use the dyndns >> service, and each time the ip address changes, dyndns is updated as well. >> >> So, any other insight into this situation? > > If you are using IPSec with ESP as per the handbook you will need to NAT the > ESP packets back to the internal VPN routers. As ESP is IP payload protocol > not a TCP/UDP payload protocol, your DSL router will probably not be able to > do this. Looking into adding nat-t to ipsec as we speak. > > I would suggest you go with Yvan's suggestion of doing away with gif and > adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP > based vpn solution such as openvpn (in ports and http://openvpn.net/) which > will be fully compatible with you nat setup, openvpn will also be tolerant to > remote end points changing ip address half while the vpn link is active, > comes in hand when used in combination with a dynamic dns service). As far as openvpn goes, I looked into it in October or Nov. last year, and it seemed not to be very scalable; I have 6 different offices that all need to connect and chat with each other, and it didn't seem like openvpn would allow for this to happen. I didn't investigate it much beyond that when I learned that. robert