From owner-freebsd-net@FreeBSD.ORG Wed Jun 7 23:35:26 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDA2B16D8C3 for ; Wed, 7 Jun 2006 21:07:19 +0000 (UTC) (envelope-from terrio@hal.rescomp.berkeley.edu) Received: from rescomp.berkeley.edu (keyserver.Rescomp.Berkeley.EDU [169.229.70.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD73943D49 for ; Wed, 7 Jun 2006 21:07:19 +0000 (GMT) (envelope-from terrio@hal.rescomp.berkeley.edu) Received: by rescomp.berkeley.edu (Postfix, from userid 1232) id 92A9C5B779; Wed, 7 Jun 2006 14:07:19 -0700 (PDT) Date: Wed, 7 Jun 2006 14:07:19 -0700 From: Devin Heckman To: Toni Schmidbauer Message-ID: <20060607210719.GS18733@rescomp.berkeley.edu> References: <20060606000954.GF18733@rescomp.berkeley.edu> <863behaljm.wl%toni@stderror.at> <20060607083516.GO18733@rescomp.berkeley.edu> <86zmgp41pz.wl%toni@stderror.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86zmgp41pz.wl%toni@stderror.at> User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org Subject: Re: ipfw, IPSec, and natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2006 23:35:26 -0000 Weirdly enough, now that the AH requirement is relaxed, packets are being dropped at random and connections to the computer via mynfsbox are failing at random. I did post to freebsd-questions before, but no responses were given. I'll give it a day or two on this list before re-posting with more info on the questions list. Thanks a bunch. -- Devin Heckman On 13:58 Wed 07 Jun , Toni Schmidbauer wrote: > At Wed, 7 Jun 2006 01:35:16 -0700, > Devin Heckman wrote: > > has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox > > when all three run at once with the "divert" rule enabled (if I'm right, > > it's because natd is rewriting some information in packets which makes > > IPSec decoding fail--but hopefully this isn't the case, as I wouldn't > > know even how to begin fixing natd). > > > > myrouter = 192.168.0.10, 10.0.0.1 > > mynatbox1 = 10.0.0.2 > > mynatbox2 = 10.0.0.3 > > mynfsbox = 192.168.0.11 > > > > IPSec > > mynfsbox <--------> myrouter > > | not IPSec > > |<---------> mynatbox1 > > |<---------> mynatbox2 > > > > /usr/local/etc/ipsec.conf: > > > > spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require; > > spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require; > > could your repost your excellent description to freebsd-question@? i am > not that kind of an ipsec guru, my setup locks a bit different. for > sure there are ipsec gurus on the ml. > > your ipfw rules show that you divert every packet over sis0 to > natd. i would try to specify only those addresses which should get > rewritten by natd (in your case 192.168..). so packets sent from > myrouter to mynfsbox do not pass natd. > > another thing i would try is to disable ah (just remove > ah/transport//require) from your ipsec.conf file. ah is not necessary > for an encrypted connection, it provides protection against replay > attacks. > > hth, > toni > -- > If you understand what you're doing, you're | toni at stderror dot at > not learning anything. | Toni Schmidbauer > -- Anonymous | >