From owner-freebsd-net@FreeBSD.ORG Mon Jan 16 15:04:44 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5022816A41F for ; Mon, 16 Jan 2006 15:04:44 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6F7743D45 for ; Mon, 16 Jan 2006 15:04:41 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 38F90A6; Mon, 16 Jan 2006 10:04:57 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id E74F44BFC; Mon, 16 Jan 2006 10:04:55 -0500 (EST) Received: from brian by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1EyVuK-0007P9-MS; Mon, 16 Jan 2006 15:04:32 +0000 Date: Mon, 16 Jan 2006 15:04:32 +0000 From: Brian Candler To: Przemyslaw Szczygielski Message-ID: <20060116150432.GA28435@uk.tiscali.com> References: <20060116133008.B3F8D214092@rekin14.go2.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060116133008.B3F8D214092@rekin14.go2.pl> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 15:04:44 -0000 On Mon, Jan 16, 2006 at 02:30:08PM +0100, Przemyslaw Szczygielski wrote: > > ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo" > > ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo" > > > > XP: (configured by wizard, from MMC): > > "InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP: > ANY/0, dst IP: MY/0 > > "OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP: > MY/0, dst IP: ANY/0 But if you've not given any tunnel endpoints, then you have configured *transport* mode, and that won't work for communicating with arbitary hosts on the Internet. Perhaps you've got tunnel mode (I guess you must if you have tunnel mode in your SPD), but I'd still prefer working from the command line. To get ipseccmd.exe run setup.exe from the \support\tools directory on the XP SP2 CD. Note that in XP you can give 'MY' as a policy source/destination ('0' in ipseccmd), but not as a tunnel endpoint. You must give the explicit IP address, as in the -t example above. > > And at the FreeBSD side you have in /etc/ipsec.conf > > > > spdflush; > > spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec > esp/tunnel/10.2.0.2-10.2.0.1/require; > > spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec > esp/tunnel/10.2.0.1-10.2.0.2/require; > > > > BSD: > > flush; > spdflush; > spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec > esp/tunnel/10.2.0.2-10.2.0.1/require; > spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec > esp/tunnel/10.2.0.1-10.2.0.2/require; 10.2.0.2/8 can never match any IP address, but perhap the kernel masks it silently to 10.0.0.0/8 In any case, you should list only the address which you want to protect (i.e. 10.2.0.2/32), unless there is a separate subnet sitting behind the XP laptop which needs to be protected. Otherwise, once you have a second laptop, you will have two conflicting policies, both trying to protect 10.0.0.0/8 > > Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to > > browse a website from the XP box, could be very enlightening. > > > Ermmm... on ndis0 I can only see encrypted content, but haven't > tried fxp0, thought nothing interesting will be happening, as I > can't browse from XP... Not true. Seeing what packets are sent out to the Internet, even if nothing comes back, is definitely interesting. It would show, for example, if your NAT isn't working. Even if nothing at all goes out of fxp0, that is also interesting. It shows your tunnel is not configured correctly. (Presumably you do have IP forwarding turned on, since the gateway works in the absence of IPSEC) I suggest you don't "browse" from XP: start by sending pings. Then you have a steady stream of packets, and DNS doesn't get in the way either. Regards, Brian.