Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Oct 2002 17:29:05 -0700
From:      Charles Henrich <henrich@sigbus.com>
To:        Lars Eggert <larse@ISI.EDU>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPSEC/NAT issues
Message-ID:  <20021017172905.A91625@sigbus.com>
In-Reply-To: <3DAF509C.6030002@isi.edu>; from larse@ISI.EDU on Thu, Oct 17, 2002 at 05:06:52PM -0700
References:  <20021017162243.B89519@sigbus.com> <3DAF509C.6030002@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > I have a network/firewall where I want to nat an entire network.  However,
> > I also want nat traffic to one remote host in particular out on the
> > internet to be IPsec'd as well.
> > 
> > [A] (10.x) [B] (Nat) [C] (Real IP)
> 
> There was a thread on -hackers named "VPN Routing through gif (4) tunnel" a
> few weeks ago that dealt with a very similar issue.

I've looked through those, and it doesnt quite seem to apply?  What im doing
is transport mode ESP between my nat gateway and the remote host.  this works
properly.  in my firewall rules I have

allow esp packets to and from remote host
divert to nat

Now from host A, if I try a connection to IP C, then on the gateway I see
racoon fire up and establish a working IPSEC path between B&C.  Further it
looks like it properly encapsulates the packets and forwards them on to host
C, which appears to properly respond to them.  On host B, they are unencrypted
and for some reason they do not make a path into natd for un-natting.

The nat daemon does not log any rejections of the packet, however in my kernel
log, I see a 

Oct 17 17:23:51 dmz /kernel: Connection attempt to TCP B:3283 from C:22

Is the esp mucking with the in/out interface perhaps?

If Im logged into host B, I can connect to Host C succesfully using the
transport mode connection no problem.  Its just this last little bit of natd
not processing the packets.  Im thinking im doing something silly. but I cant
see what.  

-Crh

       Charles Henrich                                   henrich@msu.edu

                        http://www.sigbus.com/~henrich

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021017172905.A91625>