From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 13:55:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C1716A4CE; Thu, 13 Nov 2003 13:55:05 -0800 (PST) Received: from mtl.alis.com (mtl.alis.com [199.84.165.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id C146043FE1; Thu, 13 Nov 2003 13:55:03 -0800 (PST) (envelope-from vgoupil@alis.com) Received: from alis-2k.alis.domain (alis-2k.alis.com [199.84.165.130]) by mtl.alis.com (8.12.8p2/8.12.8) with ESMTP id hADLt25G022315; Thu, 13 Nov 2003 16:55:02 -0500 (EST) (envelope-from vgoupil@alis.com) Received: by alis-2k.alis.domain with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Nov 2003 16:55:02 -0500 Message-ID: From: Vincent Goupil To: "'Crist J. Clark'" , "'freebsd-ipfw@freebsd.org'" , "'freebsd-net@freebsd.org'" , "'freebsd-isp@freebsd.org'" Date: Thu, 13 Nov 2003 16:55:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 21:55:06 -0000 But if I use this config file for natd: unregistered_only use_sockets log log_denied redirect_address 192.168.1.50 208.x.y.120 redirect_address 192.168.1.51 208.x.y.121 redirect_address 192.168.1.52 208.x.y.122 redirect_address 192.168.1.53 208.x.y.123 alias_address 208.x.y.124 With this setup, I should be able to do 5 VPN IPSec connection at the same time. Since, the ESP packet coming on 208.x.y.120 is mapped directly to 192.168.1.50 and so on for the others using the redirect_address directive. I also understand that I can use only one computer at a time for the others using the alias_address (the rest of the network). I'm currently using this setup. I can do only IPSec with the 192.168.1.10-25 witch is mapped by the alias_address. The computer using the IP from 208.x.y.120-123 can't use the VPN and I don't know why. Vincent -----Original Message----- From: Crist J. Clark [mailto:cristjc@comcast.net] Sent: 13 novembre, 2003 16:16 To: Vincent Goupil Cc: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org'; 'freebsd-isp@freebsd.org' Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > > I have mapped my subnet with alias_address > I have mapped 4 private ip address with 4 public ip address > > Everything is working fine (web, email, ftp, etc..) for outgoing and > incoming connexion for anyone on my network. > > With this configuration, 5 person at a time (on my network) could dial to > the same VPN server. > 4 with different IP and the one with the alias_address. I supposed that > only one person at a time can use the alias_address with the IPSec VPN (I > think, tell me if I'm wrong) [snip] Nope, that's right. You can have only one machine behind natd(8) using ESP at a time (you could actually have one AH and one ESP at the same time, but since NAT breaks AH, what's the point?). The reason within natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all that it enters into its translation table is, IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr The obvious problem is that you can only have one mapping like this. If you had more than one, when you receive a packet of IPproto from IPdst_addr, to which internal machine do you send it? Now, that's why natd(8) has problems. Why not add a feature to natd(8) to get around it? Because there is no way to get around the problem. ESP packets have this nice SPI field that one could potentially use to map the traffic between multiple machines behind NAT to a single VPN end point on the other side, but there is no practical way for the NAT box to learn the SPI of incoming packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org