Date: Mon, 5 Jun 2006 17:09:54 -0700 From: Devin Heckman <terrio@rescomp.berkeley.edu> To: freebsd-net@freebsd.org Subject: ipfw, IPSec, and natd Message-ID: <20060606000954.GF18733@rescomp.berkeley.edu>
next in thread | raw e-mail | index | archive | help
Hi, I recently tried to set up a computer to act as a NAT using FreeBSD 6.1. ipfw functions as it should, as well as IPSec, but I've run into some problems when setting up the NAT. I have two computers behind it, both of which do not need to speak IPSec (and aren't configured to do so). The NAT computer should speak IPSec with one other computer, from which it mounts home directories via NFS. When I enable natd, ipfw, and IPSec, the connection to the computer with which I speak IPSec breaks, but the NAT functions properly. My ipfw rules look like this: cmd=/sbin/ipfw -q add $cmd 0001 allow udp from any to any isakmp $cmd 0002 allow esp from $ipsec_servers to me $cmd 0003 allow ah from $ipsec_servers to me $cmd 0004 divert natd all from any to any via sis0 ... $cmd 0015 allow icmp from any to any $cmd 9900 allow all from me to any $cmd 9910 allow all from any to any established $cmd 9999 deny log all from any to me And natd.conf, which is called when natd is started in the rc scripts, looks like this: port 8668 interface sis0 log yes Does anyone have any experience with problems such as this? I should note that when I change the third rule of my firewall to this: $cmd 0004 tee natd all from any to any via sis0 Everything works as it should, except I get duplicate packets in the stream (ping informs me of dupes). This leads me to believe that when a packet is sent to natd and contains IPSec information, things get jarbled and broken; sending a clean packet through the rest of the stream via tee makes sure that things work properly (except the dupes). This is a hackish workaround that I'd rather avoid. Feel free to ask for anything else that may clarify the problem. Also, if I should redirect this to another list, feel free to suggest that instead. Thanks, -- Devin Heckman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060606000954.GF18733>