Date: 13-09-05 09:09
Ok, I have a FreeBSD 5.4-STABLE router. It is a NAT router for my LAN nodes. I Have a few hosts that use static NATs as well, (mapping internal addresses to external ones). Anyhow, I have been trying to setup a few IPSec ipencap tunnels from that host to other FreeBSD servers across the 'net. The idea is to setup these tunnels from the router, and the NATted hosts on the inside would communicate with these FreeBSD servers across the secured paths.
Anyhow, I'm able to access the other end of the IPSec link from the router itself. However, none of the internal hosts are able to reach these hosts. As soon as I drop the SADs for those hosts at the router, they're able to, so there is apparently some kind of conflict between the NAT process and IPSec. I've tried both with tunnel & transport style SPDs.
Also, worth noting, I have one link that is actually is an ipencap + tunnel IPSec SPD to another LAN across the 'net and interestingly enough, the internal hosts have no problem communicating with that. Though, I suspect that this is simply because this is bypassing the NAT router. Since the packets are simply forwarded to that gif (ipencap) tunnel.
So, the question is, using ipfw(4) and natd(8), is it possible to transport style IPSec to hosts across the 'net? Keep in mind, I don't mean using IPSec for the LAN hosts, it would just be from the router, over the Internet. In theory I don't see why this would not work.. assuming natd(8) rewrites the source address of these outgoing packets before KAME receives them and encrypts them. Using tcpdump(1) I can see the packets leave on the WAN interface, but no replies. If anyone has had any success with this, preferably with ipfw(4), but even if it's pf(4) or ipf(4), I'd like to know how you managed to get it working.