Date: Wed, 07 Mar 2001 13:43:10 +1100 (EST) From: Stephen Cimarelli <stephen@clari.net.au> To: Lars Eggert <larse@ISI.EDU> Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPSEC + natd + IPFW Message-ID: <XFMail.010307134310.stephen@clari.net.au> In-Reply-To: <3AA58CBF.819707E6@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07-Mar-01 Lars Eggert wrote: > Stephen Cimarelli wrote: >> I have managed to get IPsec+gif tunelling to work but am having trouble >> setting >> up firewal rules, it seem that recieved ESP packets pass through the >> firewall >> rule set twice and hit my natd divert rules. > > Do you use IPsec tunnel mode, or IPsec transport mode + gif tunnels to do > the tunneling? Well this is where it starts to get funny, I have 2 HOWTOs Both HOWTO's use gif tunnels, but the FreeBSD IPsec mini-HOWTO uses IPsec transport + gif tunnels and The IPSEC VPN tunnel on freeBSD 4.x howto uses IPsec tunnel + gif tunnels ------------------------------ For me only IPsec tunnel + gif tunnels works. >Also, in the ipfw rules below, your "via" clauses reference > tun0, which is neither gif nor IPsec tunneling. Yes but rules 110 and 115 are what I added to get it to work with natd, with out those rules ESP packets coming back in where getting diverted at rules 120, It seem has if the ESP where geting decoded and than getting internally feed back through the ipfw rules. > >> Toget around this I had to add a rule like 00110 and 00115 >> >> 00001 150 20400 count esp from any to any >> 00010 150 20400 allow esp from any to any in recv tun0 >> 00011 0 0 allow esp from any to any out xmit tun0 >> 00110 1560 231661 allow ip from 192.168.0.0/16 to 192.168.0.0/16 >> 00115 9 756 allow ip from 10.10.0.0/16 to 192.168.0.0/16 via tun0 >> 00120 6193 2543953 divert 8668 tcp from any to any out xmit tun0 >> 00120 15 1233 divert 8668 udp from any to any out xmit tun0 >> 00120 0 0 divert 8668 icmp from any to any out xmit tun0 >> 00121 6132 6364485 divert 8668 tcp from any to any in recv tun0 >> 00121 16 3516 divert 8668 udp from any to any in recv tun0 >> 00121 21 1764 divert 8668 icmp from any to any in recv tun0 > -- > Lars Eggert <larse@isi.edu> Information Sciences Institute > http://www.isi.edu/larse/ University of Southern California ---------------------------------- E-Mail: Stephen Cimarelli <stephen@clari.net.au> Date: 07-Mar-01 Time: 13:28:07 ClariNet Internet Solutions +61 3 9486 0811 www.clari.net.au ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.010307134310.stephen>