Date: Wed, 7 Jun 2006 14:07:19 -0700 From: Devin Heckman <terrio@rescomp.berkeley.edu> To: Toni Schmidbauer <toni@stderror.at> Cc: freebsd-net@freebsd.org Subject: Re: ipfw, IPSec, and natd Message-ID: <20060607210719.GS18733@rescomp.berkeley.edu> In-Reply-To: <86zmgp41pz.wl%toni@stderror.at> References: <20060606000954.GF18733@rescomp.berkeley.edu> <863behaljm.wl%toni@stderror.at> <20060607083516.GO18733@rescomp.berkeley.edu> <86zmgp41pz.wl%toni@stderror.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Weirdly enough, now that the AH requirement is relaxed, packets are being dropped at random and connections to the computer via mynfsbox are failing at random. I did post to freebsd-questions before, but no responses were given. I'll give it a day or two on this list before re-posting with more info on the questions list. Thanks a bunch. -- Devin Heckman On 13:58 Wed 07 Jun , Toni Schmidbauer wrote: > At Wed, 7 Jun 2006 01:35:16 -0700, > Devin Heckman wrote: > > has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox > > when all three run at once with the "divert" rule enabled (if I'm right, > > it's because natd is rewriting some information in packets which makes > > IPSec decoding fail--but hopefully this isn't the case, as I wouldn't > > know even how to begin fixing natd). > > > > myrouter = 192.168.0.10, 10.0.0.1 > > mynatbox1 = 10.0.0.2 > > mynatbox2 = 10.0.0.3 > > mynfsbox = 192.168.0.11 > > > > IPSec > > mynfsbox <--------> myrouter > > | not IPSec > > |<---------> mynatbox1 > > |<---------> mynatbox2 > > > > /usr/local/etc/ipsec.conf: > > > > spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require; > > spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require; > > could your repost your excellent description to freebsd-question@? i am > not that kind of an ipsec guru, my setup locks a bit different. for > sure there are ipsec gurus on the ml. > > your ipfw rules show that you divert every packet over sis0 to > natd. i would try to specify only those addresses which should get > rewritten by natd (in your case 192.168..). so packets sent from > myrouter to mynfsbox do not pass natd. > > another thing i would try is to disable ah (just remove > ah/transport//require) from your ipsec.conf file. ah is not necessary > for an encrypted connection, it provides protection against replay > attacks. > > hth, > toni > -- > If you understand what you're doing, you're | toni at stderror dot at > not learning anything. | Toni Schmidbauer > -- Anonymous | >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060607210719.GS18733>