From owner-freebsd-questions Fri Oct 27 19:57:28 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 03BEF37B479 for ; Fri, 27 Oct 2000 19:57:27 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 27 Oct 2000 19:56:04 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9S2vNj44646; Fri, 27 Oct 2000 19:57:23 -0700 (PDT) (envelope-from cjc) Date: Fri, 27 Oct 2000 19:57:22 -0700 From: "Crist J . Clark" To: "Michael C. Cambria" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPSec (ESP) tunnel through ipfw/natd Message-ID: <20001027195722.E75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200010271451.KAA00530@mcambria.noddler.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200010271451.KAA00530@mcambria.noddler.com>; from cambria@mcambria.ne.mediaone.net on Fri, Oct 27, 2000 at 10:51:36AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Oct 27, 2000 at 10:51:36AM -0400, Michael C. Cambria wrote: > > Hi, > > I'm trying to use my laptop IPSec client to reach work from my home LAN. > > The LAN uses FreeBSD ipfw/natd to map my private IP addresses to the one > address supplied by the cable modem ISP via DHCP. I use rc.firewall as > supplied with the type being OPEN (e.g. I'm just using NATD, no firewall.) > > The laptop can only use IPSec in tunnel mode (corporate policy.) However, > it does use ESP only, no AH. Should I be able to tunnel through ipfw/natd > with the OPEN rc.firewall rules? Do I need to add any? The archives > turned up something about passing esp, but since OPEN passes "all", I do > not think this applies to my situation. > > At present, I only want to allow the laptop on the LAN to tunnel through > my FreeBSD machine. Funny you should ask. I just tested this for someone at work last night. I was connecting through a FreeBSD firewall/NAT machine between a IPsec enabled Cisco router and the Cisco "client[0]" software on a Win95 notebook from the office. They wanted to see if it would work through NAT. It worked fine. I must admit, all I did was setup the FreeBSD firewall and NAT box, the person I was testing for configured the ends of the tunnel. One thing I did notice later reviewing the libalias code, however. FreeBSD has no special code to support multiple IPsec connections behind a NAT box. Right now, only one ESP "connection" will work at a time. It actually would not be too tough to make it work that way (using the uniqueness of the SA). Anyone else be interested? [0] An IPsec tunnel is actually a peer-to-peer protocol. One machine initiates the key exchange, but ESP itself has no such distinction. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message