The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 NAT network to IPSec secured hosts, over the Internet
Author: rorya 
Date:   13-09-05 09:09

Ok, I have a FreeBSD 5.4-STABLE router. It is a NAT router for my LAN nodes. I Have a few hosts that use static NATs as well, (mapping internal addresses to external ones). Anyhow, I have been trying to setup a few IPSec ipencap tunnels from that host to other FreeBSD servers across the 'net. The idea is to setup these tunnels from the router, and the NATted hosts on the inside would communicate with these FreeBSD servers across the secured paths.

Anyhow, I'm able to access the other end of the IPSec link from the router itself. However, none of the internal hosts are able to reach these hosts. As soon as I drop the SADs for those hosts at the router, they're able to, so there is apparently some kind of conflict between the NAT process and IPSec. I've tried both with tunnel & transport style SPDs.

Also, worth noting, I have one link that is actually is an ipencap + tunnel IPSec SPD to another LAN across the 'net and interestingly enough, the internal hosts have no problem communicating with that. Though, I suspect that this is simply because this is bypassing the NAT router. Since the packets are simply forwarded to that gif (ipencap) tunnel.

So, the question is, using ipfw(4) and natd(8), is it possible to transport style IPSec to hosts across the 'net? Keep in mind, I don't mean using IPSec for the LAN hosts, it would just be from the router, over the Internet. In theory I don't see why this would not work.. assuming natd(8) rewrites the source address of these outgoing packets before KAME receives them and encrypts them. Using tcpdump(1) I can see the packets leave on the WAN interface, but no replies. If anyone has had any success with this, preferably with ipfw(4), but even if it's pf(4) or ipf(4), I'd like to know how you managed to get it working.

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org