Date: Wed, 7 Mar 2007 18:06:17 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router Message-ID: <20070307170617.GA2799@zen.inc> In-Reply-To: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu> References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 07, 2007 at 09:59:44AM -0600, Robert Johannes wrote: > Hello Greg, > I am writing you, because I saw your responses to a couple of messages on > the freebsd-security mailing list related to freebsd vpn and nat. Well, I'm not Greg, but hi, and here are some informations :-) > My situations is rather unique, and I am needing an expert's eyes to > glance at it and confirm whether it is doable or not. I have a simple > diagram that illustrates what I am trying to do, and it is located here > (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg I'm not sure I understood exactly what you want to do, but I think your setup is really common. > In the diag, the dsl modems have dynamic public ips on the internet side, > and private ips on the lan side. If both DSL modems have dynamic IPs, you'll have a first problem: being able to know the correct IP of your peer, then a second problem: being able to detect when peer's IP change. I'll consider you are able to do that. > As you can see in the diag, I am trying to have the vpn traffic from the > internet forwarded to the Freebsd vpn (the machines ending in .254 on each > site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and > created a tunnel between the two vpn servers; according to the handbook, I > should be able to ping the vpn servers using their private network > addresses, but I am not able to do that. I realize that my implementation > is not exactly like the handbook's, but what do I need to do to get it to > work? I have googled, and researched all over the net without much > progress. > > I have seen a lot of messages related to nat and enabling vpn passthrough > on different dsl modems and so forth, which I have tried to do, but still, > no progress. Some informations: - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just forget that part and use directly IPSec tunnels without Gif interfaces. - You'll probably need NAT-T support so your VPN tunnel will be more likely to work (well, it may work without NAT-T, but it is more complex and needs lots of constraints between both FreeBSD gates). Make a quick seach on freebsd-net, get the kernel patch from http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel with NAT-T support, reinstall your world, then recompile/reinstall ipsec-tools port. - When your tunnel will be up, you'll probably want to lower the TCPMSS for traffic which goes through the tunnel, but this is another story :-) Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070307170617.GA2799>