From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 13:16:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C439F16A4CF; Thu, 13 Nov 2003 13:16:05 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74DD143F3F; Thu, 13 Nov 2003 13:16:03 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc13) with ESMTP id <2003111321160201500q5553e>; Thu, 13 Nov 2003 21:16:02 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hADLGLsb026811; Thu, 13 Nov 2003 13:16:21 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hADLGKhn026810; Thu, 13 Nov 2003 13:16:20 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 13 Nov 2003 13:16:20 -0800 From: "Crist J. Clark" To: Vincent Goupil Message-ID: <20031113211620.GB25920@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: "'freebsd-isp@freebsd.org'" cc: "'freebsd-ipfw@freebsd.org'" cc: "'freebsd-net@freebsd.org'" Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 21:16:06 -0000 On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > > I have mapped my subnet with alias_address > I have mapped 4 private ip address with 4 public ip address > > Everything is working fine (web, email, ftp, etc..) for outgoing and > incoming connexion for anyone on my network. > > With this configuration, 5 person at a time (on my network) could dial to > the same VPN server. > 4 with different IP and the one with the alias_address. I supposed that > only one person at a time can use the alias_address with the IPSec VPN (I > think, tell me if I'm wrong) [snip] Nope, that's right. You can have only one machine behind natd(8) using ESP at a time (you could actually have one AH and one ESP at the same time, but since NAT breaks AH, what's the point?). The reason within natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all that it enters into its translation table is, IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr The obvious problem is that you can only have one mapping like this. If you had more than one, when you receive a packet of IPproto from IPdst_addr, to which internal machine do you send it? Now, that's why natd(8) has problems. Why not add a feature to natd(8) to get around it? Because there is no way to get around the problem. ESP packets have this nice SPI field that one could potentially use to map the traffic between multiple machines behind NAT to a single VPN end point on the other side, but there is no practical way for the NAT box to learn the SPI of incoming packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org