Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Jun 2001 00:46:54 -0700
From:      steve@Watt.COM (Steve Watt)
To:        questions@freebsd.org
Cc:        lucky@lansters.com
Subject:   Re: IPSec with ipfw and ipnat (oh my)
Message-ID:  <200106110746.f5B7kte03877@wattres.Watt.COM>
In-Reply-To: <000001c0ec6d$c1fa4a50$0200010a@lucky>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
In article <000001c0ec6d$c1fa4a50$0200010a@lucky> lucky@lansters.com wrote:
>What is the latest information on getting a scenario like this working:
>
>Two FreeBSD firewall/gateway machines, each with one routable internet ip
>and a lan with reserved ip space behind them. I am attempting to establish
>an encrypted IPSec-based VPN between the lans that are in reserved IP space,
>as well as run ipnat for the lans to access the normal internet and run ipfw
>rules to block bad traffic. I have seen discussion that this does not work
>under FreeBSD and that the OpenBSD guys have a good solution with the enc
>interface for IPSec-related traffic. I am having no success in getting a
>setup like this to work under FreeBSD. Does anyone know what I have to do to
>get this working?

I've got this working, in almost precisely that setup.

My network has 199.33.193.128/26 as the inside (currently non-routable)
address.  The network I connect to uses 192.168.1.0/24.


ipsec.conf has:
 - - - 8< - - -
spdadd 199.33.193.128/26 192.168.1.0/24 any -P out ipsec
	esp/tunnel/{my_public_ip}-{remote_public_ip}/require;
spdadd 192.168.1.0/24 199.33.193.128/26 any -P in ipsec
	esp/tunnel/{remote_public_ip}-{my_public_ip}/require;
 - - - >8 - - -

racoon.conf is pretty much the sample one -- make sure it's identical
on both ends.

psk.txt is ... secret. ;)

I didn't need to futz with the gif interfaces; it appears that the
IPsec machinery has been improved so that's not needed.

Setting up the NAT stuff so this all worked together was somewhat
harder; I had to be careful about the divert rules so that the IPsec
ESP traffic didn't get fed to natd.  Unfortunately, you also have
to open the FreeBSD machine up to spoofed packets from the internet
that appear to be from the remote tunneled network.  That is because
when a packet completes IPsec decrypting, it is reinjected at the
same interface it originally came in on.

I solved that spoofing problem by having control of the filters on
my external router -- so my ingress filters are as close to the edge
of my net as possible.

Hope this helps a little.  It's late, so I'm not thinking terribly
clearly...

-- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200106110746.f5B7kte03877>