Date: Wed, 3 Nov 2004 10:20:00 -0800 From: Aaron Nichols <adnichols@gmail.com> To: freebsd-net@freebsd.org Subject: Re: Problems with NAT on gif interface for VPN Message-ID: <ac05538404110310204ede3085@mail.gmail.com> In-Reply-To: <20041102124027.GH10641@sitadelle.com> References: <ac0553840410281038224213b@mail.gmail.com> <62721446609.20041028214724@star-sw.com> <ac05538404102820171b7b5771@mail.gmail.com> <20041029141411.GE10641@sitadelle.com> <ac0553840410290805388a9efb@mail.gmail.com> <20041102124027.GH10641@sitadelle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
All,
Thank you for your help. I managed to get this working. First, I
had to compile the kernel to use the FAST_IPSEC option, which
apparently changes processing so that traffic goes via gif0 (packet
captures only see incoming traffic to gif0 however) - the
IPSEC_FILTERGIF option was not sufficient to allow for divert
processing apparently.
I also had to configure the kernel to use ipfw2 instead of ipfw so
that I could use the 'ipsec' option in the filter sets. It seems that
the man page for ipfw is a bit inaccurate in this regard:
Under "IPFW2 ENHANCEMENTS" of ipfw (8) it states the following:
The following options are not implemented by ipfw1:
dst-ip, dst-port, layer2, mac, mac-type, src-ip, src-port.
Additionally, the RELENG_4 version of ipfw1 does not implement
the following options:
ipid, iplen, ipprecedence, iptos, ipttl, ipversion, tcpack,
tcpseq, tcpwin.
However, the 'ipsec' option is never mentioned - and it does not seem
to work if using ipfw1.
At this point, I have the following ipfw ruleset:
00001 0 0 allow ip from any to any layer2 not mac-type 0x0800
00100 13235 9607548 divert 8669 ip from any to any via gif0
00200 14890 10960619 divert 8668 ip from any to any via xl0 not ipsec
00300 8017 9434062 allow ip from any to any ipsec
00400 8017 9273722 allow ip from any to any via gif0
00500 0 0 check-state
00510 14033 10435476 allow ip from any to any via xl0 out keep-state
00600 0 0 allow esp from any to me
00610 0 0 allow udp from any to me dst-port 500
00700 0 0 allow ip from any to any via lo0
00710 17115 10937956 allow ip from any to any via vr0 keep-state
01000 0 0 allow tcp from any to any dst-port 22 in keep-state
01010 9 498 allow tcp from any to any dst-port 25 in keep-state
01020 0 0 allow tcp from any to any dst-port 80 in keep-state
02000 0 0 allow icmp from any to any
05000 82 22098 deny log ip from any to any
65535 42 7902 deny ip from any to any
I suspect rules 300 & 400 are redundant but I'll work on tuning the
filter set next.
If anyone is interested in the full details of this setup please let
me know and I can provide them. The majority of tweaking had to do
with getting the right kernel setup though - after which things worked
mostly as expected.
Thanks again for everyones help.
Aaron
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac05538404110310204ede3085>