From owner-freebsd-net@FreeBSD.ORG Thu Oct 30 13:05:13 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFC5816A4CE; Thu, 30 Oct 2003 13:05:13 -0800 (PST) Received: from omoikane.mb.skyweb.ca (209-5-243-50.mb.skyweb.ca [209.5.243.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0179D43FBF; Thu, 30 Oct 2003 13:05:11 -0800 (PST) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id 120B262FD2; Thu, 30 Oct 2003 15:05:10 -0600 (CST) Date: Thu, 30 Oct 2003 15:05:09 -0600 From: Mark Johnston To: security@freebsd.org Message-ID: <20031030210509.GA667@omoikane.mb.skyweb.ca> Mail-Followup-To: security@freebsd.org, net@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: net@freebsd.org Subject: Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 21:05:14 -0000 [ -netters, please Cc me or security@ with replies. ] I'm running into trouble integrating dynamic racoon-based IPSec into a network with ipfw and natd. I need to be able to allow VPN access from any address from authenticated clients. I've got the dynamic VPN working, with racoon negotiating SAs and installing SPs, but the problem is that I can't tell whether an incoming packet on the internal interface should go through natd or not. The problem looks like this. I have 3 boxes, mobile, gateway, and internal, and I'm trying to ping internal from mobile. - gateway receives an ESP packet from mobile (encapsulating a ping). - gateway decrypts and transmits an ICMP packet to internal with mobile's source address. - internal generates the ICMP response to mobile. - gateway receives the response, runs it through natd, and sends it out in the clear to mobile with gateway's source address. The packet is going out in the clear because after natd rewrites it, its source address is gateway's external interface - not part of the SP. What I want to accomplish, in pseudo-ipfw, is this: pass esp from any to me pass ip from known-sp-sources to 192.168.0.0/24 pass ip from 192.168.0.0/24 to known-sp-destinations divert natd from 192.168.0.0/24 to any deny ip from any to 192.168.0.0/24 pass ip from me to any keep-state All I'm missing is the known-sp definitions. If anyone has any pointers on doing this, please share. If I'm going about it totally bass-ackwards, I'd like to hear that too. :) Thanks, Mark