Date: Mon, 16 Jan 2006 20:55:18 +0100 From: =?windows-1250?Q?Przemys=B3aw_Szczygielski?= <qus2@go2.pl> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN Message-ID: <838981858.20060116205518@go2.pl> In-Reply-To: <20060116150432.GA28435@uk.tiscali.com> References: <20060116133008.B3F8D214092@rekin14.go2.pl> <20060116150432.GA28435@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Witaj Brian,
W Twoim li=9Ccie datowanym 16 stycznia 2006 (16:04:32) mo=BFna przeczyta=E6:
> On Mon, Jan 16, 2006 at 02:30:08PM +0100, Przemyslaw Szczygielski wrote:
>> > ipseccmd -f 0=3D* -t 10.2.0.1 -a PRESHARE:"foo"
>> > ipseccmd -f *=3D0 -t 10.2.0.2 -a PRESHARE:"foo"
>> >=20
>>=20
>> XP: (configured by wizard, from MMC):
>>=20
>> "InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
>> ANY/0, dst IP: MY/0
>>=20
>> "OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
>> MY/0, dst IP: ANY/0
> But if you've not given any tunnel endpoints, then you have configured
> *transport* mode, and that won't work for communicating with arbitary hos=
ts
> on the Internet.
> Perhaps you've got tunnel mode (I guess you must if you have tunnel mode =
in
> your SPD), but I'd still prefer working from the command line. To get
> ipseccmd.exe run setup.exe from the \support\tools directory on the XP SP2
> CD.
Well - both ways work. The one from the wizard and the one by
ipseccmd. The difference is i don't know how to deactivate ipseccmd
filters ;-)
> Note that in XP you can give 'MY' as a policy source/destination ('0' in
> ipseccmd), but not as a tunnel endpoint. You must give the explicit IP
> address, as in the -t example above.
>> flush;
>> spdflush;
>> spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec
>> esp/tunnel/10.2.0.2-10.2.0.1/require;
>> spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec
>> esp/tunnel/10.2.0.1-10.2.0.2/require;
> 10.2.0.2/8 can never match any IP address, but perhap the kernel masks it
> silently to 10.0.0.0/8
Ah, my faut. That's corrected now. But didn't help.
>> > Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
>> > browse a website from the XP box, could be very enlightening.
>> >=20
>> Ermmm... on ndis0 I can only see encrypted content, but haven't
>> tried fxp0, thought nothing interesting will be happening, as I
>> can't browse from XP...
> Not true. Seeing what packets are sent out to the Internet, even if nothi=
ng
> comes back, is definitely interesting. It would show, for example, if your
> NAT isn't working.
> Even if nothing at all goes out of fxp0, that is also interesting. It sho=
ws
> your tunnel is not configured correctly. (Presumably you do have IP
> forwarding turned on, since the gateway works in the absence of IPSEC)
> I suggest you don't "browse" from XP: start by sending pings. Then you ha=
ve
> a steady stream of packets, and DNS doesn't get in the way either.
From=20XP I pinged 10.2.0.1 with IPSEC on
tcpdump -i ndis0 host 10.2.0.2 on 10.2.0.1 showed encrypted packets
tcpdump -i fxp0 host 10.2.0.2 on 10.2.0.1 showed nothing...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?838981858.20060116205518>