From owner-freebsd-net@FreeBSD.ORG Mon Jan 16 19:56:27 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A531016A41F for ; Mon, 16 Jan 2006 19:56:27 +0000 (GMT) (envelope-from qus2@go2.pl) Received: from poczta.o2.pl (mx.go2.pl [193.17.41.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CB5743D46 for ; Mon, 16 Jan 2006 19:56:26 +0000 (GMT) (envelope-from qus2@go2.pl) Received: from host35-ursus.spray.net.pl (host35-ursus.spray.net.pl [83.143.43.35]) by poczta.o2.pl (Postfix) with ESMTP id 730FB1378EF; Mon, 16 Jan 2006 20:56:16 +0100 (CET) Date: Mon, 16 Jan 2006 20:55:18 +0100 From: =?windows-1250?Q?Przemys=B3aw_Szczygielski?= X-Mailer: The Bat! (v3.51.10) Professional Organization: QUS X-Priority: 3 (Normal) Message-ID: <838981858.20060116205518@go2.pl> To: Brian Candler In-Reply-To: <20060116150432.GA28435@uk.tiscali.com> References: <20060116133008.B3F8D214092@rekin14.go2.pl> <20060116150432.GA28435@uk.tiscali.com> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?windows-1250?Q?Przemys=B3aw_Szczygielski?= List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2006 19:56:27 -0000 Witaj Brian, W Twoim li=9Ccie datowanym 16 stycznia 2006 (16:04:32) mo=BFna przeczyta=E6: > On Mon, Jan 16, 2006 at 02:30:08PM +0100, Przemyslaw Szczygielski wrote: >> > ipseccmd -f 0=3D* -t 10.2.0.1 -a PRESHARE:"foo" >> > ipseccmd -f *=3D0 -t 10.2.0.2 -a PRESHARE:"foo" >> >=20 >>=20 >> XP: (configured by wizard, from MMC): >>=20 >> "InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP: >> ANY/0, dst IP: MY/0 >>=20 >> "OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP: >> MY/0, dst IP: ANY/0 > But if you've not given any tunnel endpoints, then you have configured > *transport* mode, and that won't work for communicating with arbitary hos= ts > on the Internet. > Perhaps you've got tunnel mode (I guess you must if you have tunnel mode = in > your SPD), but I'd still prefer working from the command line. To get > ipseccmd.exe run setup.exe from the \support\tools directory on the XP SP2 > CD. Well - both ways work. The one from the wizard and the one by ipseccmd. The difference is i don't know how to deactivate ipseccmd filters ;-) > Note that in XP you can give 'MY' as a policy source/destination ('0' in > ipseccmd), but not as a tunnel endpoint. You must give the explicit IP > address, as in the -t example above. >> flush; >> spdflush; >> spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec >> esp/tunnel/10.2.0.2-10.2.0.1/require; >> spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec >> esp/tunnel/10.2.0.1-10.2.0.2/require; > 10.2.0.2/8 can never match any IP address, but perhap the kernel masks it > silently to 10.0.0.0/8 Ah, my faut. That's corrected now. But didn't help. >> > Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to >> > browse a website from the XP box, could be very enlightening. >> >=20 >> Ermmm... on ndis0 I can only see encrypted content, but haven't >> tried fxp0, thought nothing interesting will be happening, as I >> can't browse from XP... > Not true. Seeing what packets are sent out to the Internet, even if nothi= ng > comes back, is definitely interesting. It would show, for example, if your > NAT isn't working. > Even if nothing at all goes out of fxp0, that is also interesting. It sho= ws > your tunnel is not configured correctly. (Presumably you do have IP > forwarding turned on, since the gateway works in the absence of IPSEC) > I suggest you don't "browse" from XP: start by sending pings. Then you ha= ve > a steady stream of packets, and DNS doesn't get in the way either. From=20XP I pinged 10.2.0.1 with IPSEC on tcpdump -i ndis0 host 10.2.0.2 on 10.2.0.1 showed encrypted packets tcpdump -i fxp0 host 10.2.0.2 on 10.2.0.1 showed nothing...