Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Nov 2001 19:30:30 +0100
From:      Jean-Yves Lefort <jylefort@brutele.be>
To:        freebsd-questions@FreeBSD.org
Subject:   IPsec and NAT
Message-ID:  <20011111193030.A4767@jsite.lefort.net>

next in thread | raw e-mail | index | archive | help
Hi all,

Here is a question regarding the interaction of IPsed and NAT.
First i'll design the schema of my local network (hoping my ascii art is
decent ;)

     the world
          |
    _____________
   | cable modem |
    -------------
          |
          |                     _____________
          |          _____     |             |
          \_________| ed0 |____| Host A      |
                    |_____|    | (gateway)   |
                     _____     |             |
           _________| ed1 |____| FreeBSD 4.4 |
          /         |_____|    | 192.168.1.1 |
          |                    |_____________|
          |
    _________________________________________________________________________
   |                                       hub                               | 
    -------------------------------------------------------------------------
      |                      |                   |
      |                      |                   |
  _____________        _____________      _____________
 | Host B      |      | Host C      |    | Host D      |
 | (myhost)    |      | win me      |    | win me      |
 | FreeBSD 4.4 |      | 192.168.1.3 |    | 192.168.1.4 |
 | 192.168.1.2 |       -------------      -------------
  -------------

The cable modem has an unique IP address and hosts B-C-D are being masqueraded
using natd running on the gateway.

I established a secured IPsec link between Host A and Host B, in order to
negate the usefullness of packet-sniffing from Host C and D.

Here is /etc/ipsec.conf on Host A:
------------------------------------------------------------------------------
add 192.168.1.1 192.168.1.2 ah 15700 -A hmac-md5 "secretkey";
add 192.168.1.2 192.168.1.1 ah 24500 -A hmac-md5 "secretkey";
add 192.168.1.1 192.168.1.2 esp 15701 -E blowfish-cbc "secrettoo";
add 192.168.1.2 192.168.1.1 esp 24501 -E blowfish-cbc "secrettoo";

spdadd 192.168.1.1 192.168.1.2 any -P out ipsec
        esp/transport/192.168.1.1-192.168.1.2/use
        ah/transport/192.168.1.1-192.168.1.2/use;
------------------------------------------------------------------------------

Here is /etc/ipsec.conf on Host B:
------------------------------------------------------------------------------
add 192.168.1.1 192.168.1.2 ah 15700 -A hmac-md5 "secretkey";
add 192.168.1.2 192.168.1.1 ah 24500 -A hmac-md5 "secretkey";
add 192.168.1.1 192.168.1.2 esp 15701 -E blowfish-cbc "secrettoo";
add 192.168.1.2 192.168.1.1 esp 24501 -E blowfish-cbc "secrettoo";

spdadd 192.168.1.2 192.168.1.1 any -P out ipsec
        esp/transport/192.168.1.2-192.168.1.1/use
        ah/transport/192.168.1.2-192.168.1.1/use; 
------------------------------------------------------------------------------

The link is working fine, and when i start a packet sniffer on my own box
and start sampling, i see that all packets with src-dst 192.168.1.1-192.168.1.2
or src-dst 192.168.1.2-192.168.1.1 (for instance packets from my box to the
gateway's squid cache, from the the gateway's sendmail to my box's one, etc)
are being encrypted correctly using esp.
But i see that packets having a source address of not 192.168.1.1 and coming
to my host, for instance the packet matching src-dst of 64.25.34.1-192.168.1.2,
are left unencrypted.

What should i change to my setup in order to enable masqueraded connections
to be also encrypted? Im aware of the fact that there is no way to encrypt
them before the gateway, but i just want them to be encrypted as soon as they
have been masqueraded, as shown on the following scheme:

Packet path:
                  (1)                                (2)
the world ----------------------- gateway ---------------------- myhost
            unencrypted segment              encrypted segment

In segment 1, the packet has still the real header of 64.25.34.1->210.40.25.32,
where 210.40.25.32 is the public IP address assigned to my cable modem.
When reaching gateway, the nat daemon running on it changes the header, so
that when reemitted by the gateway, it now has the header 64.25.34.1->192.168.1.2
and can reach my masqueraded box successfully.

Any help will be greatly appreciated.

Thanks in advance,

	Jean-Yves Lefort

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011111193030.A4767>