From owner-freebsd-net Thu Oct 17 17:29:10 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3BBD37B401 for ; Thu, 17 Oct 2002 17:29:08 -0700 (PDT) Received: from sigbus.com (c-24-126-10-97.we.client2.attbi.com [24.126.10.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECB6943EA9 for ; Thu, 17 Oct 2002 17:29:07 -0700 (PDT) (envelope-from henrich@sigbus.com) Received: (from henrich@localhost) by sigbus.com (8.11.1/8.11.1) id g9I0T5j92007; Thu, 17 Oct 2002 17:29:05 -0700 (PDT) (envelope-from henrich) Date: Thu, 17 Oct 2002 17:29:05 -0700 From: Charles Henrich To: Lars Eggert Cc: freebsd-net@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021017172905.A91625@sigbus.com> Mail-Followup-To: Lars Eggert , freebsd-net@freebsd.org References: <20021017162243.B89519@sigbus.com> <3DAF509C.6030002@isi.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3DAF509C.6030002@isi.edu>; from larse@ISI.EDU on Thu, Oct 17, 2002 at 05:06:52PM -0700 X-Operating-System: FreeBSD 4.2-RELEASE X-PGP-Fingerprint: 1024/F7 FD C7 3A F5 6A 23 BF 76 C4 B8 C9 6E 41 A4 4F X-GPG-Fingerprint: EA4C AB9B 0C38 17C0 AB3F 11DE 41F6 5883 41E7 4F49 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I have a network/firewall where I want to nat an entire network. However, > > I also want nat traffic to one remote host in particular out on the > > internet to be IPsec'd as well. > > > > [A] (10.x) [B] (Nat) [C] (Real IP) > > There was a thread on -hackers named "VPN Routing through gif (4) tunnel" a > few weeks ago that dealt with a very similar issue. I've looked through those, and it doesnt quite seem to apply? What im doing is transport mode ESP between my nat gateway and the remote host. this works properly. in my firewall rules I have allow esp packets to and from remote host divert to nat Now from host A, if I try a connection to IP C, then on the gateway I see racoon fire up and establish a working IPSEC path between B&C. Further it looks like it properly encapsulates the packets and forwards them on to host C, which appears to properly respond to them. On host B, they are unencrypted and for some reason they do not make a path into natd for un-natting. The nat daemon does not log any rejections of the packet, however in my kernel log, I see a Oct 17 17:23:51 dmz /kernel: Connection attempt to TCP B:3283 from C:22 Is the esp mucking with the in/out interface perhaps? If Im logged into host B, I can connect to Host C succesfully using the transport mode connection no problem. Its just this last little bit of natd not processing the packets. Im thinking im doing something silly. but I cant see what. -Crh Charles Henrich henrich@msu.edu http://www.sigbus.com/~henrich To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message