From owner-freebsd-security@FreeBSD.ORG Wed Mar 7 17:28:44 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 97E0216A405 for ; Wed, 7 Mar 2007 17:28:44 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 2E7E913C428 for ; Wed, 7 Mar 2007 17:28:43 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id 62CD53F6F; Wed, 7 Mar 2007 18:06:17 +0100 (CET) Date: Wed, 7 Mar 2007 18:06:17 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20070307170617.GA2799@zen.inc> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 17:28:44 -0000 On Wed, Mar 07, 2007 at 09:59:44AM -0600, Robert Johannes wrote: > Hello Greg, > I am writing you, because I saw your responses to a couple of messages on > the freebsd-security mailing list related to freebsd vpn and nat. Well, I'm not Greg, but hi, and here are some informations :-) > My situations is rather unique, and I am needing an expert's eyes to > glance at it and confirm whether it is doable or not. I have a simple > diagram that illustrates what I am trying to do, and it is located here > (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg I'm not sure I understood exactly what you want to do, but I think your setup is really common. > In the diag, the dsl modems have dynamic public ips on the internet side, > and private ips on the lan side. If both DSL modems have dynamic IPs, you'll have a first problem: being able to know the correct IP of your peer, then a second problem: being able to detect when peer's IP change. I'll consider you are able to do that. > As you can see in the diag, I am trying to have the vpn traffic from the > internet forwarded to the Freebsd vpn (the machines ending in .254 on each > site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and > created a tunnel between the two vpn servers; according to the handbook, I > should be able to ping the vpn servers using their private network > addresses, but I am not able to do that. I realize that my implementation > is not exactly like the handbook's, but what do I need to do to get it to > work? I have googled, and researched all over the net without much > progress. > > I have seen a lot of messages related to nat and enabling vpn passthrough > on different dsl modems and so forth, which I have tried to do, but still, > no progress. Some informations: - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just forget that part and use directly IPSec tunnels without Gif interfaces. - You'll probably need NAT-T support so your VPN tunnel will be more likely to work (well, it may work without NAT-T, but it is more complex and needs lots of constraints between both FreeBSD gates). Make a quick seach on freebsd-net, get the kernel patch from http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel with NAT-T support, reinstall your world, then recompile/reinstall ipsec-tools port. - When your tunnel will be up, you'll probably want to lower the TCPMSS for traffic which goes through the tunnel, but this is another story :-) Yvan. -- NETASQ http://www.netasq.com