From owner-freebsd-net@FreeBSD.ORG  Mon Jan 16 13:30:10 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 316A516A41F
	for <freebsd-net@freebsd.org>; Mon, 16 Jan 2006 13:30:10 +0000 (GMT)
	(envelope-from qus2@o2.pl)
Received: from rekin14.go2.pl (rekin14.go2.pl [193.17.41.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C9BF743D58
	for <freebsd-net@freebsd.org>; Mon, 16 Jan 2006 13:30:09 +0000 (GMT)
	(envelope-from qus2@o2.pl)
Received: from poczta.o2.pl (rekin [127.0.0.1])
	by rekin14.go2.pl (o2.pl Mailer 2.0.1) with ESMTP id B3F8D214092;
	Mon, 16 Jan 2006 14:30:08 +0100 (CET)
From: =?iso-8859-2?Q?Przemyslaw_Szczygielski?= <qus2@o2.pl>
To: =?iso-8859-2?Q?Brian_Candler?= <B.Candler@pobox.com>
Date: Mon, 16 Jan 2006 14:30:08 +0100
Content-Type: text/plain; charset="iso-8859-2";
Content-Transfer-Encoding: 8bit
X-Mailer: o2.pl WebMail v5.28
X-Originator: 160.83.64.94
Message-Id: <20060116133008.B3F8D214092@rekin14.go2.pl>
Cc: freebsd-net@freebsd.org
Subject: Re: NAT over IPSECed WLAN
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2006 13:30:10 -0000

> A diagram helps lots. Tell me if this is correct:
> 
>     \|/  - - - - - - - \|/
>      |                  |
>   10.2.0.2          10.2.0.1 ndis0
>    WinXP            FreeBSD 6.0
>   client             x.x.x.x fxp0
>                         |
>                         +---------------> Internet
> 
>      <==================>
        IPSEC tunnel mode? + NAT!!!!

But plus NAT. Exactly.

> How have you configured IPSEC:
> (a) on the Windows XP box? and
> (b) on the FreeBSD box?
> 
> I think you should be running IPSEC tunnel mode, so I'm guessing
at the
> Windows XP side you have something like:
> 
>     ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
>     ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"
> 

XP: (configured by wizard, from MMC):

"InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
ANY/0, dst IP: MY/0

"OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
MY/0, dst IP: ANY/0

> And at the FreeBSD side you have in /etc/ipsec.conf
> 
>     spdflush;
>     spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.2.0.2-10.2.0.1/require;
>     spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec
esp/tunnel/10.2.0.1-10.2.0.2/require;
> 

BSD:

flush;
spdflush;
spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.2.0.2-10.2.0.1/require;
spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec
esp/tunnel/10.2.0.1-10.2.0.2/require;

> Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
> browse a website from the XP box, could be very enlightening.
> 
Ermmm... on ndis0 I can only see encrypted content, but haven't
tried fxp0, thought nothing interesting will be happening, as I
can't browse from XP...