Date: Thu, 20 Apr 2000 12:32:03 -0400 (EDT) From: Jim Flowers <jflowers@ezo.net> To: Erwan Arzur <erwan@netvalue.com> Cc: itojun@iijlab.net, Muhammad Najib <najib@kdu.edu.my>, freebsd-security@FreeBSD.ORG Subject: Re: VPN using IPSec Message-ID: <Pine.BSI.3.91.1000420121629.13556N-100000@lily.ezo.net> In-Reply-To: <38FF2BE1.FBBCBF1@netvalue.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I spent quite a bit of time investigating the interaction of Skip tunnels with NAT and was finally able to configure just about every possible combination. The technique lies in trapping the inbound processed packets (unencapsulated, authenticated, and decrypted) with an ipfw rule before they are processed by the divert rule and trapping the outbound packets similarly (different rule). In both cases the rules select on destination addresses (look carefully) and interface and you should have one-pass set so that ipfw stops processing when a rule is matched. Nomads (individual hosts with dynamic IP addresses) are a little different but can also be handled if you know how. While I have not studied the FreeBSD implementation, the only requirement I see for this technique to work just as well with IPSec is that IPSec processing be conducted between the interface driver and ipfw (Skip is shimmed between the driver and the IP layer). I'll be glad when you guys get the bugs worked out on a stable IPSec and a suitable key administration strategy. I feel like the Lone Ranger using Skip (which does everything I want to do with VPNs). Additional information can be found on my posts to freebsd-security by searching for skip AND nat. Jim Flowers <jflowers@ezo.net> #4 ISP on C|NET, #1 in Ohio On Thu, 20 Apr 2000, Erwan Arzur wrote: > > >- at the same time allow Internet connectivity throughout the world > > >using NAT > > > > > >I've been understood by the doc that I need to use the 'tunnel mode' > > >instead to achieve this. I followed the documentation in the handbook > > >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the > > >conf files: > > > > NAT - IPsec interaction will be very tricky, so I will not talk about > > that. > > I tried for hours to get the same kind of network setup than the > original poster, did not > understand why icmp packets were normally coming in the gateway through > the tunnel while the responses were always sent without any kind of > encapsulation, until i discovered that all these packets were natted, > thus never matched by the SPD ... > > NAT is not your friend when you try to setup an IPSEC tunnel. > -- > UNIX *IS* user friendly. It's just selective about who its friends are. > --unknown > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.1000420121629.13556N-100000>