From owner-freebsd-net@FreeBSD.ORG Wed Jun 7 12:57:44 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BA9516CBA1 for ; Wed, 7 Jun 2006 11:55:45 +0000 (UTC) (envelope-from toni@stderror.at) Received: from murus.stderror.at (stdin.stderror.at [83.65.196.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEE6843D53 for ; Wed, 7 Jun 2006 11:55:44 +0000 (GMT) (envelope-from toni@stderror.at) Received: from murus.stderror.at (unknown [127.0.0.1]) by murus.stderror.at (Postfix) with ESMTP id 7BC145C5F; Wed, 7 Jun 2006 13:58:01 +0200 (CEST) Date: Wed, 07 Jun 2006 13:58:00 +0200 Message-ID: <86zmgp41pz.wl%toni@stderror.at> From: Toni Schmidbauer To: Devin Heckman In-Reply-To: <20060607083516.GO18733@rescomp.berkeley.edu> References: <20060606000954.GF18733@rescomp.berkeley.edu> <863behaljm.wl%toni@stderror.at> <20060607083516.GO18733@rescomp.berkeley.edu> User-Agent: Wanderlust Emacs Organization: stderror.at X-WWW-Home-Page: http://stderror.at X-PGP-Fingerprint: 53F2 28AE 8070 83E0 AFEC 0ABC BBF9 A34A 3ED1 3287 X-Operating-System: FreeBSD MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: ipfw, IPSec, and natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2006 12:57:55 -0000 At Wed, 7 Jun 2006 01:35:16 -0700, Devin Heckman wrote: > has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox > when all three run at once with the "divert" rule enabled (if I'm right, > it's because natd is rewriting some information in packets which makes > IPSec decoding fail--but hopefully this isn't the case, as I wouldn't > know even how to begin fixing natd). > > myrouter = 192.168.0.10, 10.0.0.1 > mynatbox1 = 10.0.0.2 > mynatbox2 = 10.0.0.3 > mynfsbox = 192.168.0.11 > > IPSec > mynfsbox <--------> myrouter > | not IPSec > |<---------> mynatbox1 > |<---------> mynatbox2 > > /usr/local/etc/ipsec.conf: > > spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require; > spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require; could your repost your excellent description to freebsd-question@? i am not that kind of an ipsec guru, my setup locks a bit different. for sure there are ipsec gurus on the ml. your ipfw rules show that you divert every packet over sis0 to natd. i would try to specify only those addresses which should get rewritten by natd (in your case 192.168..). so packets sent from myrouter to mynfsbox do not pass natd. another thing i would try is to disable ah (just remove ah/transport//require) from your ipsec.conf file. ah is not necessary for an encrypted connection, it provides protection against replay attacks. hth, toni -- If you understand what you're doing, you're | toni at stderror dot at not learning anything. | Toni Schmidbauer -- Anonymous |