Date: Fri, 13 Apr 2001 18:45:07 -0700 From: steve@Watt.COM (Steve Watt) To: Gunther Schadow <gunther@aurora.regenstrief.org> Cc: questions@FreeBSD.ORG Subject: Re: IPsec painful setup... Message-ID: <200104140145.f3E1j7298280@wattres.Watt.COM> In-Reply-To: Gunther Schadow <gunther@aurora.regenstrief.org> "Re: IPsec painful setup..." (Apr 14, 1:23)
next in thread | previous in thread | raw e-mail | index | archive | help
I have tried both transport and tunnel mode; it seemed clear to me that
transport wouldn't work, but I had to try it anyhow. I'd dearly love to
use the FreeBSD box directly as the NAT box, but it's a DSL installation
where the DSL line comes into a port on the router. Unless there are
PCI DSL cards that are likely to work in such a scenario, I think I get
to wrestle with this.
You said "old gif tunnel method"; that implies that there's some new
method? Where can I find info on that? I'm currently using gif tunnels,
racoon for isakmp, and ipsec in tunnel mode.
Thanks,
On Apr 14, 1:23, Gunther Schadow wrote:
} Subject: Re: IPsec painful setup...
} if you try the old gif tunnel method with IPsec transport mode
} ESP it will not work through a NAT box. The problem is transport
} mode will choke on any change in the IP header, and NAT changes
} the src address and port. I suggest you use FreeBSD as the
} NAT box. Works nicely, if you have just one tunnel. Also if you
} have an "other IPsec capable router" at the other end, it will
} most certainly not understand the gif-tunnel + ESP transport mode
} hack. You need to use IPsec ESP tunnel mode properly. Tunnel
} mode might work through the NAT box, I believe.
}
} regards
} -Gunther
}
} Steve Watt wrote:
} >
} > I've got a situation where I'm trying to set up an IPsec ESP tunnel
} > to a box that's on the far side of a NAT box. I've successfully set
} > up an IPsec tunnel to my box at home, but it's smart enough to have
} > a routable IP address on one interface, unlike this other situation.
} >
} > Here's a picture of what I'm trying; maybe someone can help:
} >
} > (internal net A) (DSL line)
} > +---------+ | +---------+ | +-------------+
} > | FreeBSD | v | | v | Other IPsec |
} > | box +---+ NAT rtr +-- inet --+ capable +--- internal net B
} > | ("A") | | | | router |
} > +---------+ +---------+ +-------------+
} >
} > Because it's a DSL line from the NATing router, I can't just hook up
} > the network interface with the routable address to box A.
} >
} > The starting configuration is pretty much as described in the IPsec
} > mini-howto on DaemonNews.
} >
} > So, the questions are as follows:
} >
} > 1. What address should I configure the local part of gif0 with? The one
} > associated with the DSL line, or the (static) NATted address of box A?
} > 2. Same question, but in the SPD
} > 3. Will I need to consume an extra subnet for the internal address of
} > gif0, or put it on internal net B's range (with a proxy arp), or ...?
} >
} > I can't seem to locate anything that provides adequate clues in this
} > area; maybe I'm just SOL and need to upgrade the NAT rtr?
} >
} > Thanks,
} >
} > --
} > Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9"
} > Internet: steve @ Watt.COM Whois: SW32
} > Free time? There's no such thing. It just comes in varying prices...
} >
} > To Unsubscribe: send mail to majordomo@FreeBSD.org
} > with "unsubscribe freebsd-questions" in the body of the message
}
} --
} Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org
} Medical Information Scientist Regenstrief Institute for Health Care
} Adjunct Assistent Professor Indiana University School of Medicine
} tel:1(317)630-7960 http://aurora.regenstrief.org
}-- End of excerpt from Gunther Schadow
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9"
Internet: steve @ Watt.COM Whois: SW32
Free time? There's no such thing. It just comes in varying prices...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104140145.f3E1j7298280>