From owner-freebsd-questions Mon Jun 11 0:47:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (wattres.watt.com [205.178.120.6]) by hub.freebsd.org (Postfix) with ESMTP id B9F7A37B403 for ; Mon, 11 Jun 2001 00:46:55 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.3) id f5B7kte03877; Mon, 11 Jun 2001 00:46:55 -0700 (PDT) (envelope-from steve) Message-Id: <200106110746.f5B7kte03877@wattres.Watt.COM> X-Newsgroups: local.freebsd-questions In-Reply-To: <000001c0ec6d$c1fa4a50$0200010a@lucky> Organization: Watt Consultants, San Jose, CA, USA From: steve@Watt.COM (Steve Watt) Date: Mon, 11 Jun 2001 00:46:54 -0700 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: questions@freebsd.org Subject: Re: IPSec with ipfw and ipnat (oh my) Cc: lucky@lansters.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In article <000001c0ec6d$c1fa4a50$0200010a@lucky> lucky@lansters.com wrote: >What is the latest information on getting a scenario like this working: > >Two FreeBSD firewall/gateway machines, each with one routable internet ip >and a lan with reserved ip space behind them. I am attempting to establish >an encrypted IPSec-based VPN between the lans that are in reserved IP space, >as well as run ipnat for the lans to access the normal internet and run ipfw >rules to block bad traffic. I have seen discussion that this does not work >under FreeBSD and that the OpenBSD guys have a good solution with the enc >interface for IPSec-related traffic. I am having no success in getting a >setup like this to work under FreeBSD. Does anyone know what I have to do to >get this working? I've got this working, in almost precisely that setup. My network has 199.33.193.128/26 as the inside (currently non-routable) address. The network I connect to uses 192.168.1.0/24. ipsec.conf has: - - - 8< - - - spdadd 199.33.193.128/26 192.168.1.0/24 any -P out ipsec esp/tunnel/{my_public_ip}-{remote_public_ip}/require; spdadd 192.168.1.0/24 199.33.193.128/26 any -P in ipsec esp/tunnel/{remote_public_ip}-{my_public_ip}/require; - - - >8 - - - racoon.conf is pretty much the sample one -- make sure it's identical on both ends. psk.txt is ... secret. ;) I didn't need to futz with the gif interfaces; it appears that the IPsec machinery has been improved so that's not needed. Setting up the NAT stuff so this all worked together was somewhat harder; I had to be careful about the divert rules so that the IPsec ESP traffic didn't get fed to natd. Unfortunately, you also have to open the FreeBSD machine up to spoofed packets from the internet that appear to be from the remote tunneled network. That is because when a packet completes IPsec decrypting, it is reinjected at the same interface it originally came in on. I solved that spoofing problem by having control of the filters on my external router -- so my ingress filters are as close to the edge of my net as possible. Hope this helps a little. It's late, so I'm not thinking terribly clearly... -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message