From owner-freebsd-ipfw  Wed Jan 24 22: 5:54 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id A1FE237B401
	for <freebsd-ipfw@freebsd.org>; Wed, 24 Jan 2001 22:05:37 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 24 Jan 2001 22:03:47 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0P65cF54235;
	Wed, 24 Jan 2001 22:05:38 -0800 (PST)
	(envelope-from cjc)
Date: Wed, 24 Jan 2001 22:05:37 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Bruno Miguel <brunomiguel@netcabo.pt>
Cc: freebsd-ipfw@FreeBSD.ORG, The Babbler <bts@babbleon.org>
Subject: Re: IPSEC tunnelling
Message-ID: <20010124220537.G10761@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com>; <20010121173807.B10761@rfx-216-196-73-168.users.reflex> <3A6EFA76.17540.17FDF1@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <3A6EFA76.17540.17FDF1@localhost>; from brunomiguel@netcabo.pt on Wed, Jan 24, 2001 at 03:53:26PM -0000
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Jan 24, 2001 at 03:53:26PM -0000, Bruno Miguel wrote:
> > > I'm using IPSec tunnel mode, with ESP, but no authentication.  I'm also not
> > > using AH.
> > 
> > Tunnel mode is troublesome to mix with NAT. AH is impossible to run
> > through NAT.
> 
> I tried using a skipto rule when packets from local network tried to reach the 
> other local network... skipping the divert rule.

That should pretty much break everything before you even have to worry
whether the IPsec is working.

> To no avail..
> I was trying to use tunnel mode, only esp.
> I wonder if someone has done it..... i normally use ipfilter, but the ipfw divert 
> rule being able to be bypassed by a skipto rule made me try ipfw. It didn't 
> work..... when I setup a 10.x.x.x. network it worked..... but it was nattin' 
> 192.168.x.x network. I wonder what went wrong.

ESP is rarely going to be the problem. If you make it all of the way
through the ISAKMP keying negotiations, you are in business.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message