Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Jun 2001 00:46:54 -0700
From:      steve@Watt.COM (Steve Watt)
Subject:   Re: IPSec with ipfw and ipnat (oh my)
Message-ID:  <200106110746.f5B7kte03877@wattres.Watt.COM>
In-Reply-To: <000001c0ec6d$c1fa4a50$0200010a@lucky>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
In article <000001c0ec6d$c1fa4a50$0200010a@lucky> wrote:
>What is the latest information on getting a scenario like this working:
>Two FreeBSD firewall/gateway machines, each with one routable internet ip
>and a lan with reserved ip space behind them. I am attempting to establish
>an encrypted IPSec-based VPN between the lans that are in reserved IP space,
>as well as run ipnat for the lans to access the normal internet and run ipfw
>rules to block bad traffic. I have seen discussion that this does not work
>under FreeBSD and that the OpenBSD guys have a good solution with the enc
>interface for IPSec-related traffic. I am having no success in getting a
>setup like this to work under FreeBSD. Does anyone know what I have to do to
>get this working?

I've got this working, in almost precisely that setup.

My network has as the inside (currently non-routable)
address.  The network I connect to uses

ipsec.conf has:
 - - - 8< - - -
spdadd any -P out ipsec
spdadd any -P in ipsec
 - - - >8 - - -

racoon.conf is pretty much the sample one -- make sure it's identical
on both ends.

psk.txt is ... secret. ;)

I didn't need to futz with the gif interfaces; it appears that the
IPsec machinery has been improved so that's not needed.

Setting up the NAT stuff so this all worked together was somewhat
harder; I had to be careful about the divert rules so that the IPsec
ESP traffic didn't get fed to natd.  Unfortunately, you also have
to open the FreeBSD machine up to spoofed packets from the internet
that appear to be from the remote tunneled network.  That is because
when a packet completes IPsec decrypting, it is reinjected at the
same interface it originally came in on.

I solved that spoofing problem by having control of the filters on
my external router -- so my ingress filters are as close to the edge
of my net as possible.

Hope this helps a little.  It's late, so I'm not thinking terribly

Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...

To Unsubscribe: send mail to
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <>