From owner-freebsd-security  Wed Oct 24  9:14: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mk-smarthost-2.mail.uk.worldonline.com (mk-smarthost-2.mail.uk.worldonline.com [212.74.112.72])
	by hub.freebsd.org (Postfix) with ESMTP id BDDB637B401
	for <freebsd-security@freebsd.org>; Wed, 24 Oct 2001 09:13:56 -0700 (PDT)
Received: from scooby-s1.lineone.net ([194.75.152.224] helo=lineone.net)
	by mk-smarthost-2.mail.uk.worldonline.com with smtp (Exim 3.22 #3)
	id 15wQfC-00031t-00
	for freebsd-security@freebsd.org; Wed, 24 Oct 2001 17:13:54 +0100
To: freebsd-security@freebsd.org
From: tariq_rashid@lineone.net
Subject: 2-channel isakmpd on freebsd4.4R?
Message-Id: <E15wQfC-00031t-00@mk-smarthost-2.mail.uk.worldonline.com>
Date: Wed, 24 Oct 2001 17:13:54 +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



first: let me apologise for thanking those who gave useful advice and help last week - i was away unexpectedly.


ok - consider the following:


  [ isakmpd ] 192.168.1.1  ------- 192.168.1.2 [ isakmpd ]
  [ vpn H   ]                                  [ vpn A   ]
       |                                            |
       | 10.0.7.2                          10.8.0.1 |
       |                                            |
       |                                            |
  { 10.0.0.0/16 subnet }                 { 10.8.0.0/16 subnet }


  *- in fact there are more than one subnets connected to "H"
     these are A, B, C etc ... these all have dynamic public IPs
     (so 192.168.1.2 may change) - only "H" 192.168.1.1 is static

  *- configuration uses pre-shared secrets, aggresive mode USER_FQDN etc etc
     this is fine (thanks to people on this list)


  Communication from any subnet to any subnet works fine. This is done
  by using multiple Connections= (spoke) and Passive-connections= (hub) tags...
	eg spoke: Connections= IPsec-A-H IPsec-A-B
        eg hub:   Passive-Connections= IPsec-H-A IPsec-H-B IPsec-A-B IPsec-B-A

  However, comminication initiated from the vpn-endpoint boxes themselves does not work.
  ( I suspect that despite the packets being formed with source=external-ip, the ipsec "trap"
  doesn't catch them). 


  Solution tried: MORE Connections were tried. In addition to the IPV4_ADDR_SUBNET endpoints, 
  non-subnet IPV4_ADDR was tried. This failed. (This fails on its own too???)

  The UGLY solution which works is to use NATd: something like ...
  ipfw delete 50; ipfw add 50 divert natd all from any to 10.8.0.0/16 via rl0; natd -v -n fxp0

  Keep in mind that isakmpd.conf can't be over-specified due to the need for the spoke-nets requiring
  dynamic public IPs.

 Any better ideas? much appreciated!

tariq

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message