From owner-freebsd-isp@FreeBSD.ORG Wed Jun 25 12:18:11 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46E7B37B401 for ; Wed, 25 Jun 2003 12:18:11 -0700 (PDT) Received: from gateway.webize.com.au (gateway.webize.com.au [203.17.1.92]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A9F543FE3 for ; Wed, 25 Jun 2003 12:18:08 -0700 (PDT) (envelope-from carlm@webize.com.au) Received: (qmail 14922 invoked from network); 25 Jun 2003 19:23:03 -0000 Received: from unknown (HELO cmlaptop) (192.168.100.51) by 192.168.100.50 with SMTP; 25 Jun 2003 19:23:03 -0000 From: "Carl Morley" To: Date: Thu, 26 Jun 2003 05:17:53 +1000 Message-ID: <000801c33b4e$7ae212b0$3364a8c0@cmlaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPSEC with IPNAT conundrum X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2003 19:18:11 -0000 Hello All, Below is a question I posted to the ipfilter mail list, but the silence was deafening... Apologies for the 'not very isp' problem on this list. I track this list and thought someone might be able to shed some light. Even if it is 'this is not feasible'! I have set up an IPSEC connection from company (A) to another (B) by connecting from (A)'s FreeBSD 4.8-STABLE firewall running IPFILTER & IPNAT plus racoon to (B)'s Watchguard Firebox SOHO6. All works well when connecting *one* subnet at (A) to the subnet at (B). But the (A) network is quite extensive, comprising many private subnets. To expect the IPSEC connected companies eg (B) to maintain a list of (A)'s subnets so that the IPSEC policies work is not practical. So I figured that companies like (B) should just see (A) as one subnet - and (A) would NAT on the firewall. Was that an OK idea? Seemed easy enough at the time... OK - the set up is this.... Private IP | (A) | | | | (B) | Private IP subnets at---| FIREWALL |----| INTERNET |----| FIREWALL |---subnet at company (A) | | | | | | company(B) Firewall (B) is expecting all IPSEC traffic to be coming from the public IP address on Firewall (A), as tunnelled private IP subnet 10.99.99.0/30 to (B)'s private IP address subnet 192.168.100.0/24. I am trying to NAT all the internal subnets at (A) to 10.99.99.1. But it does not seem to work whichever way I try. Questions: 1. On which interface should I alias the 10.99.99.1 IP on Firewall (A). Choices seem to be internal (fxp2), external (fxp1), loopback (lo0) or some gif0 combination with the above. Any other suggestions? BTW, usually I would not bother with using the gif interfaces with racoon. All the IPSEC tunnels I have set up to date have been single subnet to single subnet. Wondered if mucking about with the gif i/f might help with the NAT issue. Except I cannot seem to get IPNAT to discern a clear direction of traffic flow on the gif's that I have set up thus far. 2. Having completed step 1, what should my NAT rule(s) look like? Given that they should be policy based (I think), eg. If connecting to (B) use this NAT rule. Looking forward to *any* pointers! Regards, Carl.