Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 07 Jun 2006 13:58:00 +0200
From:      Toni Schmidbauer <toni@stderror.at>
To:        Devin Heckman <terrio@rescomp.berkeley.edu>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw, IPSec, and natd
Message-ID:  <86zmgp41pz.wl%toni@stderror.at>
In-Reply-To: <20060607083516.GO18733@rescomp.berkeley.edu>
References:  <20060606000954.GF18733@rescomp.berkeley.edu> <863behaljm.wl%toni@stderror.at> <20060607083516.GO18733@rescomp.berkeley.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
At Wed, 7 Jun 2006 01:35:16 -0700,
Devin Heckman wrote:
> has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox
> when all three run at once with the "divert" rule enabled (if I'm right,
> it's because natd is rewriting some information in packets which makes
> IPSec decoding fail--but hopefully this isn't the case, as I wouldn't
> know even how to begin fixing natd).
> 
> myrouter = 192.168.0.10, 10.0.0.1
> mynatbox1 = 10.0.0.2
> mynatbox2 = 10.0.0.3
> mynfsbox = 192.168.0.11
> 
>                    IPSec
>         mynfsbox <--------> myrouter
>                                 | not IPSec
>                                 |<---------> mynatbox1
>                                 |<---------> mynatbox2
> 
> /usr/local/etc/ipsec.conf:
> 
> spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require;
> spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require;

could your repost your excellent description to freebsd-question@? i am
not that kind of an ipsec guru, my setup locks a bit different. for
sure there are ipsec gurus on the ml.

your ipfw rules show that you divert every packet over sis0 to
natd. i would try to specify only those addresses which should get
rewritten by natd (in your case 192.168..). so packets sent from
myrouter to mynfsbox do not pass natd.

another thing i would try is to disable ah (just remove
ah/transport//require) from your ipsec.conf file. ah is not necessary
for an encrypted connection, it provides protection against replay
attacks. 

hth,
toni
-- 
If you understand what you're doing, you're | toni at stderror dot at
not learning anything.                      | Toni Schmidbauer
-- Anonymous                                |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zmgp41pz.wl%toni>