From owner-freebsd-questions  Sun Nov 11 10:30:42 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mirapoint2.brutele.be (mirapoint2.brutele.be [212.68.193.7])
	by hub.freebsd.org (Postfix) with ESMTP id 905F737B421
	for <freebsd-questions@FreeBSD.org>; Sun, 11 Nov 2001 10:30:36 -0800 (PST)
Received: from gateway.lefort.net ([213.189.162.247])
	by mirapoint2.brutele.be (Mirapoint)
	with SMTP id ANJ99738;
	Sun, 11 Nov 2001 19:30:31 +0100 (CET)
Received: from jsite.lefort.net (jsite.lefort.net [192.168.1.2])
	by gateway.lefort.net (8.11.6/8.11.6) with ESMTP id fABIUUI00714
	for <freebsd-questions@FreeBSD.org>; Sun, 11 Nov 2001 19:30:31 +0100 (CET)
	(envelope-from jylefort@jsite.lefort.net)
Received: (from jylefort@localhost)
	by jsite.lefort.net (8.11.6/8.11.6) id fABIUU208157
	for freebsd-questions@FreeBSD.org; Sun, 11 Nov 2001 19:30:30 +0100 (CET)
	(envelope-from jylefort)
Date: Sun, 11 Nov 2001 19:30:30 +0100
From: Jean-Yves Lefort <jylefort@brutele.be>
To: freebsd-questions@FreeBSD.org
Subject: IPsec and NAT
Message-ID: <20011111193030.A4767@jsite.lefort.net>
Mail-Followup-To: freebsd-questions@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi all,

Here is a question regarding the interaction of IPsed and NAT.
First i'll design the schema of my local network (hoping my ascii art is
decent ;)

     the world
          |
    _____________
   | cable modem |
    -------------
          |
          |                     _____________
          |          _____     |             |
          \_________| ed0 |____| Host A      |
                    |_____|    | (gateway)   |
                     _____     |             |
           _________| ed1 |____| FreeBSD 4.4 |
          /         |_____|    | 192.168.1.1 |
          |                    |_____________|
          |
    _________________________________________________________________________
   |                                       hub                               | 
    -------------------------------------------------------------------------
      |                      |                   |
      |                      |                   |
  _____________        _____________      _____________
 | Host B      |      | Host C      |    | Host D      |
 | (myhost)    |      | win me      |    | win me      |
 | FreeBSD 4.4 |      | 192.168.1.3 |    | 192.168.1.4 |
 | 192.168.1.2 |       -------------      -------------
  -------------

The cable modem has an unique IP address and hosts B-C-D are being masqueraded
using natd running on the gateway.

I established a secured IPsec link between Host A and Host B, in order to
negate the usefullness of packet-sniffing from Host C and D.

Here is /etc/ipsec.conf on Host A:
------------------------------------------------------------------------------
add 192.168.1.1 192.168.1.2 ah 15700 -A hmac-md5 "secretkey";
add 192.168.1.2 192.168.1.1 ah 24500 -A hmac-md5 "secretkey";
add 192.168.1.1 192.168.1.2 esp 15701 -E blowfish-cbc "secrettoo";
add 192.168.1.2 192.168.1.1 esp 24501 -E blowfish-cbc "secrettoo";

spdadd 192.168.1.1 192.168.1.2 any -P out ipsec
        esp/transport/192.168.1.1-192.168.1.2/use
        ah/transport/192.168.1.1-192.168.1.2/use;
------------------------------------------------------------------------------

Here is /etc/ipsec.conf on Host B:
------------------------------------------------------------------------------
add 192.168.1.1 192.168.1.2 ah 15700 -A hmac-md5 "secretkey";
add 192.168.1.2 192.168.1.1 ah 24500 -A hmac-md5 "secretkey";
add 192.168.1.1 192.168.1.2 esp 15701 -E blowfish-cbc "secrettoo";
add 192.168.1.2 192.168.1.1 esp 24501 -E blowfish-cbc "secrettoo";

spdadd 192.168.1.2 192.168.1.1 any -P out ipsec
        esp/transport/192.168.1.2-192.168.1.1/use
        ah/transport/192.168.1.2-192.168.1.1/use; 
------------------------------------------------------------------------------

The link is working fine, and when i start a packet sniffer on my own box
and start sampling, i see that all packets with src-dst 192.168.1.1-192.168.1.2
or src-dst 192.168.1.2-192.168.1.1 (for instance packets from my box to the
gateway's squid cache, from the the gateway's sendmail to my box's one, etc)
are being encrypted correctly using esp.
But i see that packets having a source address of not 192.168.1.1 and coming
to my host, for instance the packet matching src-dst of 64.25.34.1-192.168.1.2,
are left unencrypted.

What should i change to my setup in order to enable masqueraded connections
to be also encrypted? Im aware of the fact that there is no way to encrypt
them before the gateway, but i just want them to be encrypted as soon as they
have been masqueraded, as shown on the following scheme:

Packet path:
                  (1)                                (2)
the world ----------------------- gateway ---------------------- myhost
            unencrypted segment              encrypted segment

In segment 1, the packet has still the real header of 64.25.34.1->210.40.25.32,
where 210.40.25.32 is the public IP address assigned to my cable modem.
When reaching gateway, the nat daemon running on it changes the header, so
that when reemitted by the gateway, it now has the header 64.25.34.1->192.168.1.2
and can reach my masqueraded box successfully.

Any help will be greatly appreciated.

Thanks in advance,

	Jean-Yves Lefort

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message