FreeBSD Mail Archives

Date:      Sat, 28 Sep 2002 16:35:26 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Ian Cartwright <ian351c@cox.net>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: VPN Routing through gif (4) tunnel
Message-ID:  <3D963CBE.4080803@isi.edu>
References:  <006001c26723$f80775f0$6600a8c0@iansxp>


[-- Attachment #1 --]
Ian,

Ian Cartwright wrote:
> 
> As I understand it, so long as the local tunnel endpoint is the external
> interface of the local gateway, the encapsulated traffic should already
> look like it is coming from the external interface and should not be
> NATed (while the traffic inside the tunnel looks like it is coming from
> my local RFC1918 network).

Yes, the tunnel should go between the external addresses. But your NAT 
is still causing a problem. Consider this packet, send from a host on 
your local network to a host behind the remote tunnel end:

	| 192.168.0.10->200.200.200.20 | Data |

When it reaches your local security gateway, there are two choices:

(1) NAT gets the packet first, in which case it will be translated into
| 100.100.100.1->200.200.200.20 | Data |

(2) IPsec gets the packet first, in which case it will be encapsulated 
(## is the IPsec header):
| 100.100.100.1->200.200.201.1 ## 192.168.0.10->200.200.200.20 | Data |

If the second case occurs, your current SA should already cause this 
to happen.	

> It is also my understanding that IPFILTER
> sees the traffic before the rest of the kernel (i.e. KAME) and may do
> the NATing before it enters the IPSec tunnel, thus munging the works
> entirely. This does not bode well.

That is your problem, I think. IPfilter goes first, and your current SA 
does not match the NAT'ed packet.

Try changing your SA so that the selector matches the packet under (1) 
above, so the final packet would look like
| 100.100.100.1->200.200.201.1 ## 100.100.100.1->200.200.200.20 | Data |

This is moderately ugly, since we're using the same address in the inner 
and outer header, but that's what you get for using NATs... Note that 
there's a good chance that the IPsec implementation on either side will 
balk at this.

> Was my original assumption correct, that as long as the tunnel is
> specified correctly in the SPD, that the routing will happen
> automgically?

Yes. Once the correct SA is in place, forwarding over the tunnel should 
happen.

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	�0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1�'0�#0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��a0	*�H��
	1	*�H��
0	*�H��
	1
020928233526Z0#	*�H��
	1��o44Z+�4���6NFg0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��
��3`���J�C�,捳��E1�wQ4-�Ъ�kA��R��z�i��ă�=}�/���Bm���z�q��Z�Ձ�J���U�J���pp��s���|<,4G��e���0nǇ�F*I,��'P�,�`o�H<��b�'\�M�|H�S9.���/���@��&��ncT�lX<��,0�(Q2�ÈL�ȓ3�c���S�"�۟�J���Cl�2<q�CD�.:D���u��ƦHB+�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D963CBE.4080803>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation