Date: Thu, 21 Nov 2002 08:53:32 -0600 From: David Kelly <dkelly@hiwaay.net> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: Helge Oldach <freebsd-stable-21nov02@oldach.net>, archie@dellroad.org, guido@gvr.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION AND QUESTIONS Message-ID: <20021121145332.GA57883@grumpy.dyndns.org> In-Reply-To: <200211210852.gAL8qscD076629@hugo10.ka.punkt.de> References: <200211210837.gAL8b4Se080747@sep.oldach.net> <200211210852.gAL8qscD076629@hugo10.ka.punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 21, 2002 at 09:52:54AM +0100, Patrick M. Hausen wrote:
>
> If I have a setup with two LANs with RFC 1918 addresses coupled
> via two VPN boxes over the Internet, I need to:
>
> - deny packets with RFC 1918 addresses, when they come in from
> the Internet
> - but pass ESP and AH in when coming from the peer
> - divert everything else that is explicitely allowed to natd
>
> This part is quite easy.
>
> - at the same time pass RFC 1918 to RFC 1918 _without_ NAT if
> it _is_ a decrypted packet coming from the remote LAN
>
> This part is impossible at the moment with tunnel mode and ipfw.
> So you end up passing everything from private to private and
> cross your fingers - or use two machines on each side.
Glad I didn't know this in advance as that is exactly what I believe I
have. Two FreeBSD systems, one on each end connected to cable modem.
About 8 machines behind one on 192.168.100.0/24 and 10 or 15 behind the
other on 10.0.0.0/24. An ESP tunnel between.
Each gateway has .254 as its internal address used as the default
gateway for the internal machines. /etc/ipsec.conf uses .253. I just
pull this number out of the air and use it in ipsec.conf and a static
route. No ifconfig, no other host, it just works:
flush;
spdflush;
spdadd 10.0.0.253/24 192.168.100.253/24 any -P out ipsec
esp/tunnel/24.xx.xx.xx-24.yy.yy.yy/require ;
spdadd 192.168.100.253/24 10.0.0.253/24 any -P in ipsec
esp/tunnel/24.yy.yy.yy-24.xx.xx.xx/require ;
Then in /etc/rc.conf I set a static route:
# the VPN route:
static_routes="remote"
route_remote="-inet 192.168.100.0/24 -interface 192.168.100.253"
Natd is running on the external interface at both ends.
Now, what part of "impossible" am I doing right, wrong, or simply not
understanding? The decrypted packets fly thru natd on the way to
internal networks on each end but are not molested in the process. I
don't care if it goes thru natd or ipfw several times so long as the
right thing is done.
Other than my decrypted packets have started appearing to ipfw as if
they were coming from fxp1 (which is what started this mess) everything
else is working just fine. Oh, except for passive ftp. Non-passive ftp
works well with the "punch_fw" option to /etc/natd.conf. But this is a
topic for another day.
--
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021121145332.GA57883>