Date: Mon, 16 Jan 2006 15:04:32 +0000 From: Brian Candler <B.Candler@pobox.com> To: Przemyslaw Szczygielski <qus2@o2.pl> Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN Message-ID: <20060116150432.GA28435@uk.tiscali.com> In-Reply-To: <20060116133008.B3F8D214092@rekin14.go2.pl> References: <20060116133008.B3F8D214092@rekin14.go2.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 16, 2006 at 02:30:08PM +0100, Przemyslaw Szczygielski wrote:
> > ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
> > ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"
> >
>
> XP: (configured by wizard, from MMC):
>
> "InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
> ANY/0, dst IP: MY/0
>
> "OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
> MY/0, dst IP: ANY/0
But if you've not given any tunnel endpoints, then you have configured
*transport* mode, and that won't work for communicating with arbitary hosts
on the Internet.
Perhaps you've got tunnel mode (I guess you must if you have tunnel mode in
your SPD), but I'd still prefer working from the command line. To get
ipseccmd.exe run setup.exe from the \support\tools directory on the XP SP2
CD.
Note that in XP you can give 'MY' as a policy source/destination ('0' in
ipseccmd), but not as a tunnel endpoint. You must give the explicit IP
address, as in the -t example above.
> > And at the FreeBSD side you have in /etc/ipsec.conf
> >
> > spdflush;
> > spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec
> esp/tunnel/10.2.0.2-10.2.0.1/require;
> > spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec
> esp/tunnel/10.2.0.1-10.2.0.2/require;
> >
>
> BSD:
>
> flush;
> spdflush;
> spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec
> esp/tunnel/10.2.0.2-10.2.0.1/require;
> spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec
> esp/tunnel/10.2.0.1-10.2.0.2/require;
10.2.0.2/8 can never match any IP address, but perhap the kernel masks it
silently to 10.0.0.0/8
In any case, you should list only the address which you want to protect
(i.e. 10.2.0.2/32), unless there is a separate subnet sitting behind the XP
laptop which needs to be protected.
Otherwise, once you have a second laptop, you will have two conflicting
policies, both trying to protect 10.0.0.0/8
> > Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
> > browse a website from the XP box, could be very enlightening.
> >
> Ermmm... on ndis0 I can only see encrypted content, but haven't
> tried fxp0, thought nothing interesting will be happening, as I
> can't browse from XP...
Not true. Seeing what packets are sent out to the Internet, even if nothing
comes back, is definitely interesting. It would show, for example, if your
NAT isn't working.
Even if nothing at all goes out of fxp0, that is also interesting. It shows
your tunnel is not configured correctly. (Presumably you do have IP
forwarding turned on, since the gateway works in the absence of IPSEC)
I suggest you don't "browse" from XP: start by sending pings. Then you have
a steady stream of packets, and DNS doesn't get in the way either.
Regards,
Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116150432.GA28435>