Date: Thu, 30 Oct 2003 15:05:09 -0600 From: Mark Johnston <mjohnston@skyweb.ca> To: security@freebsd.org Cc: net@freebsd.org Subject: Using racoon-negotiated IPSec with ipfw and natd Message-ID: <20031030210509.GA667@omoikane.mb.skyweb.ca>
next in thread | raw e-mail | index | archive | help
[ -netters, please Cc me or security@ with replies. ] I'm running into trouble integrating dynamic racoon-based IPSec into a network with ipfw and natd. I need to be able to allow VPN access from any address from authenticated clients. I've got the dynamic VPN working, with racoon negotiating SAs and installing SPs, but the problem is that I can't tell whether an incoming packet on the internal interface should go through natd or not. The problem looks like this. I have 3 boxes, mobile, gateway, and internal, and I'm trying to ping internal from mobile. - gateway receives an ESP packet from mobile (encapsulating a ping). - gateway decrypts and transmits an ICMP packet to internal with mobile's source address. - internal generates the ICMP response to mobile. - gateway receives the response, runs it through natd, and sends it out in the clear to mobile with gateway's source address. The packet is going out in the clear because after natd rewrites it, its source address is gateway's external interface - not part of the SP. What I want to accomplish, in pseudo-ipfw, is this: pass esp from any to me pass ip from known-sp-sources to 192.168.0.0/24 pass ip from 192.168.0.0/24 to known-sp-destinations divert natd from 192.168.0.0/24 to any deny ip from any to 192.168.0.0/24 pass ip from me to any keep-state All I'm missing is the known-sp definitions. If anyone has any pointers on doing this, please share. If I'm going about it totally bass-ackwards, I'd like to hear that too. :) Thanks, Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031030210509.GA667>