Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jan 2006 13:16:09 +0100
From:      VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To:        Przemyslaw Szczygielski <qus2@o2.pl>
Cc:        freebsd-net@freebsd.org
Subject:   Re: NAT over IPSECed WLAN
Message-ID:  <20060116121609.GA2769@zeninc.net>
In-Reply-To: <20060116101332.8258821401E@rekin14.go2.pl>
References:  <20060116101332.8258821401E@rekin14.go2.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 16, 2006 at 11:13:32AM +0100, Przemyslaw Szczygielski wrote:
> Well, for me the config is so complex, that I doubt anyone will
> waste time on going into my config files, but, well... There's
> always hope...

This is not the first time I saw such configurations requests, and
that's why I suggested you to ask on a public ML, because answers will
also be available to others.


[....]
> So to make it short: IPSEC working = no NAT. IPSEC off = NAT working.
> 
> I have attached my config files: ipsec.conf, natd.conf, racoon.conf
> and rc.firewall.rules (please don't ask me why do I have ssh on 5901...)

Unfortunately, your configuration attachements were filtered.

But could you send ("inline" in the mail) at least your SPD
configuration ?

For what you want, you should have configuration like:

spdadd <xp> 0/0 out ESP/tunnel/xp-FreeBSD gate/require

("pseudo setkey" syntax, view from XP host, incoming entry also
required, which is reverse).

The important points are "ESP" "tunnel" and "0/0" as remote traffic
endpoint.

On BSD side, you can have reversed spd entries, or use racoon's
generate-policy feature.

Is that what you have ?

Another way of doing things is to use IPSec transport+L2TP, which can
looks simpler from Window's side, but which I think is more complex in
fact (another encapsulation level).


> If you can tell me, what went wrong I'd be very grateful. And I will
> surely write a detailed HOWTO for future generations... ;-)

Would be welcome, perhaps on FreeBSD's docs, and at least at
ipsec-tools website !


Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116121609.GA2769>