Date: Thu, 26 Jun 2003 05:17:53 +1000 From: "Carl Morley" <carlm@webize.com.au> To: <freebsd-isp@freebsd.org> Subject: IPSEC with IPNAT conundrum Message-ID: <000801c33b4e$7ae212b0$3364a8c0@cmlaptop>
next in thread | raw e-mail | index | archive | help
Hello All, Below is a question I posted to the ipfilter mail list, but the silence was deafening... Apologies for the 'not very isp' problem on this list. I track this list and thought someone might be able to shed some light. Even if it is 'this is not feasible'! I have set up an IPSEC connection from company (A) to another (B) by connecting from (A)'s FreeBSD 4.8-STABLE firewall running IPFILTER & IPNAT plus racoon to (B)'s Watchguard Firebox SOHO6. All works well when connecting *one* subnet at (A) to the subnet at (B). But the (A) network is quite extensive, comprising many private subnets. To expect the IPSEC connected companies eg (B) to maintain a list of (A)'s subnets so that the IPSEC policies work is not practical. So I figured that companies like (B) should just see (A) as one subnet - and (A) would NAT on the firewall. Was that an OK idea? Seemed easy enough at the time... OK - the set up is this.... Private IP | (A) | | | | (B) | Private IP subnets at---| FIREWALL |----| INTERNET |----| FIREWALL |---subnet at company (A) | | | | | | company(B) Firewall (B) is expecting all IPSEC traffic to be coming from the public IP address on Firewall (A), as tunnelled private IP subnet 10.99.99.0/30 to (B)'s private IP address subnet 192.168.100.0/24. I am trying to NAT all the internal subnets at (A) to 10.99.99.1. But it does not seem to work whichever way I try. Questions: 1. On which interface should I alias the 10.99.99.1 IP on Firewall (A). Choices seem to be internal (fxp2), external (fxp1), loopback (lo0) or some gif0 combination with the above. Any other suggestions? BTW, usually I would not bother with using the gif interfaces with racoon. All the IPSEC tunnels I have set up to date have been single subnet to single subnet. Wondered if mucking about with the gif i/f might help with the NAT issue. Except I cannot seem to get IPNAT to discern a clear direction of traffic flow on the gif's that I have set up thus far. 2. Having completed step 1, what should my NAT rule(s) look like? Given that they should be policy based (I think), eg. If connecting to (B) use this NAT rule. Looking forward to *any* pointers! Regards, Carl.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c33b4e$7ae212b0$3364a8c0>