From owner-freebsd-questions  Mon Feb 25  9:18:34 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id D7CB337B417
	for <freebsd-questions@FreeBSD.ORG>; Mon, 25 Feb 2002 09:18:24 -0800 (PST)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g1PHJAl56818;
	Mon, 25 Feb 2002 11:19:11 -0600 (CST)
	(envelope-from nick@rogness.net)
Date: Mon, 25 Feb 2002 11:19:10 -0600 (CST)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Alex Kiesel <freebsd@document-root.de>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: IpSec behind NAT
In-Reply-To: <20020224130534.GA8465@schlund.de>
Message-ID: <Pine.BSF.4.21.0202251113510.56670-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, 24 Feb 2002, Alex Kiesel wrote:

> Hi,
> 
> I am trying to setup a Host-to-Subnet IPsec-Tunnel. The basic
> configuration does work, as I can ping any host on the subnet from my
> single "road-warrior"-host.
> 
> Host1                                            subnetxyz 
>       \                                        /  
> Host2 -  Roadwarrior --- INTERNET --- IPsec-Gw - subnetxxx 
>       /                                        \ 
> Host3                                            subnetbla 
>  
> Host1,2,3 all have private ip addresses 192.168.1.x
> Subnets have distinct ip-addresses e.g. 172.17.x.x
> 
> Being logged in to Roadwarrior I can ping to any host on any of those
> subnets, which I conclude from that my basic setup does work.
> 
> But the roadwarrior is my nets firewall, so working from there is not
> what I want to do. I want to work from Host1. When I ping any host on
> a right subnet, I can see following things:
> 
> - the ping gets nat'ed to my public ip-address [which is ok]
> - the ping gets encrypted and is sent to the ipsec-gw. [ok]
> - the ping reaches the destination host, and he answeres
> - the answer travels back over the encrypted tunnel to my roadwarrior
> - the packet even gets through my natd, but the destination address is
>   not rewritten to my host1 ip-address, so does not reach me.
> 
> I have to add that the remote gateway does only permit
> host-to-subnet-tunnel, so that I have to do nat. The problem is simply
> that the received packets do not get rewritten...
> 
> Did anyone have had such a problem? Any help is appreciated :)

	The simple solution is to NOT NAT ipsec packets.  You don't need
	to and really don't want to.  Are you using gif tunnels or not?

	Add the firewalling for these hosts "around" the divert rule so
	IPSec packets don't hit the natd divert rule. [If you are using
	ipfw].


Nick Rogness <nick@rogness.net>
 - Don't mind me...I'm just sniffing your packets


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message