Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jan 2006 12:45:35 +0000
From:      Brian Candler <B.Candler@pobox.com>
To:        Przemyslaw Szczygielski <qus2@o2.pl>
Cc:        freebsd-net@freebsd.org
Subject:   Re: NAT over IPSECed WLAN
Message-ID:  <20060116124535.GA28026@uk.tiscali.com>
In-Reply-To: <20060116101332.8258821401E@rekin14.go2.pl>
References:  <20060116101332.8258821401E@rekin14.go2.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 16, 2006 at 11:13:32AM +0100, Przemyslaw Szczygielski wrote:
> Well, for me the config is so complex, that I doubt anyone will
> waste time on going into my config files, but, well... There's
> always hope...

A diagram helps lots. Tell me if this is correct:

    \|/  - - - - - - - \|/
     |                  |
  10.2.0.2          10.2.0.1 ndis0
   WinXP            FreeBSD 6.0
  client             x.x.x.x fxp0
                        |
                        +---------------> Internet

     <==================>
      IPSEC tunnel mode?

> I have a working setup that has working NAT ("Client" sees Internet
> throuogh NAT on "Gateway", configured as default gateway on
> Windows), when IPSEC is turned off.
> 
> I also have working IPSEC between these two machines (they can ping
> each other) but then NAT stops working (but "Gateway" still connects
> to the Internet, so i.e. I can putty from "Client" to "Gateway", it
> goes through IPESECed WLAN, and from putty use Lynx to browse. But
> can't browse internet on "Client".
> 
> So to make it short: IPSEC working = no NAT. IPSEC off = NAT working.

It's possible that IPSEC isn't configured properly, since you have IPSEC
only ever working between the two endpoints.

How have you configured IPSEC:
(a) on the Windows XP box? and
(b) on the FreeBSD box?

I think you should be running IPSEC tunnel mode, so I'm guessing at the
Windows XP side you have something like:

    ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
    ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"

And at the FreeBSD side you have in /etc/ipsec.conf

    spdflush;
    spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/10.2.0.2-10.2.0.1/require;
    spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec esp/tunnel/10.2.0.1-10.2.0.2/require;

Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
browse a website from the XP box, could be very enlightening.

Regards,

Brian.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116124535.GA28026>