Date: Mon, 16 Jan 2006 14:30:08 +0100 From: =?iso-8859-2?Q?Przemyslaw_Szczygielski?= <qus2@o2.pl> To: =?iso-8859-2?Q?Brian_Candler?= <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN Message-ID: <20060116133008.B3F8D214092@rekin14.go2.pl>
next in thread | raw e-mail | index | archive | help
> A diagram helps lots. Tell me if this is correct:
>
> \|/ - - - - - - - \|/
> | |
> 10.2.0.2 10.2.0.1 ndis0
> WinXP FreeBSD 6.0
> client x.x.x.x fxp0
> |
> +---------------> Internet
>
> <==================>
IPSEC tunnel mode? + NAT!!!!
But plus NAT. Exactly.
> How have you configured IPSEC:
> (a) on the Windows XP box? and
> (b) on the FreeBSD box?
>
> I think you should be running IPSEC tunnel mode, so I'm guessing
at the
> Windows XP side you have something like:
>
> ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
> ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"
>
XP: (configured by wizard, from MMC):
"InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
ANY/0, dst IP: MY/0
"OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
MY/0, dst IP: ANY/0
> And at the FreeBSD side you have in /etc/ipsec.conf
>
> spdflush;
> spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.2.0.2-10.2.0.1/require;
> spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec
esp/tunnel/10.2.0.1-10.2.0.2/require;
>
BSD:
flush;
spdflush;
spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.2.0.2-10.2.0.1/require;
spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec
esp/tunnel/10.2.0.1-10.2.0.2/require;
> Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
> browse a website from the XP box, could be very enlightening.
>
Ermmm... on ndis0 I can only see encrypted content, but haven't
tried fxp0, thought nothing interesting will be happening, as I
can't browse from XP...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116133008.B3F8D214092>