Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Oct 2003 15:05:09 -0600
From:      Mark Johnston <mjohnston@skyweb.ca>
To:        security@freebsd.org
Cc:        net@freebsd.org
Subject:   Using racoon-negotiated IPSec with ipfw and natd
Message-ID:  <20031030210509.GA667@omoikane.mb.skyweb.ca>

next in thread | raw e-mail | index | archive | help
[ -netters, please Cc me or security@ with replies. ]

I'm running into trouble integrating dynamic racoon-based IPSec into a network
with ipfw and natd.  I need to be able to allow VPN access from any address
from authenticated clients.  I've got the dynamic VPN working, with racoon
negotiating SAs and installing SPs, but the problem is that I can't tell
whether an incoming packet on the internal interface should go through natd or
not.

The problem looks like this.  I have 3 boxes, mobile, gateway, and internal,
and I'm trying to ping internal from mobile.

- gateway receives an ESP packet from mobile (encapsulating a ping).
- gateway decrypts and transmits an ICMP packet to internal with mobile's
  source address.
- internal generates the ICMP response to mobile.
- gateway receives the response, runs it through natd, and sends it out in the
  clear to mobile with gateway's source address.

The packet is going out in the clear because after natd rewrites it, its source
address is gateway's external interface - not part of the SP.  What I want to
accomplish, in pseudo-ipfw, is this:

pass esp from any to me
pass ip from known-sp-sources to 192.168.0.0/24
pass ip from 192.168.0.0/24 to known-sp-destinations
divert natd from 192.168.0.0/24 to any
deny ip from any to 192.168.0.0/24
pass ip from me to any keep-state

All I'm missing is the known-sp definitions.  If anyone has any pointers on
doing this, please share.  If I'm going about it totally bass-ackwards, I'd
like to hear that too.  :)

Thanks,
Mark



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031030210509.GA667>