Using racoon-negotiated IPSec with ipfw and natd

From: Mark Johnston (mjohnston_at_skyweb.ca)
Date: 10/30/03

  • Next message: Crist J. Clark: "Re: Using racoon-negotiated IPSec with ipfw and natd" 
    Date: Thu, 30 Oct 2003 15:05:09 -0600
To: security@freebsd.org

    [ -netters, please Cc me or security@ with replies. ]

    I'm running into trouble integrating dynamic racoon-based IPSec into a network
    with ipfw and natd. I need to be able to allow VPN access from any address
    from authenticated clients. I've got the dynamic VPN working, with racoon
    negotiating SAs and installing SPs, but the problem is that I can't tell
    whether an incoming packet on the internal interface should go through natd or
    not.

    The problem looks like this. I have 3 boxes, mobile, gateway, and internal,
    and I'm trying to ping internal from mobile.

    - gateway receives an ESP packet from mobile (encapsulating a ping).
    - gateway decrypts and transmits an ICMP packet to internal with mobile's
      source address.
    - internal generates the ICMP response to mobile.
    - gateway receives the response, runs it through natd, and sends it out in the
      clear to mobile with gateway's source address.

    The packet is going out in the clear because after natd rewrites it, its source
    address is gateway's external interface - not part of the SP. What I want to
    accomplish, in pseudo-ipfw, is this:

    pass esp from any to me
    pass ip from known-sp-sources to 192.168.0.0/24
    pass ip from 192.168.0.0/24 to known-sp-destinations
    divert natd from 192.168.0.0/24 to any
    deny ip from any to 192.168.0.0/24
    pass ip from me to any keep-state

    All I'm missing is the known-sp definitions. If anyone has any pointers on
    doing this, please share. If I'm going about it totally bass-ackwards, I'd
    like to hear that too. :)

    Thanks,
    Mark
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Crist J. Clark: "Re: Using racoon-negotiated IPSec with ipfw and natd"

    Relevant Pages

    • Using racoon-negotiated IPSec with ipfw and natd
      ... with ipfw and natd. ... I have 3 boxes, mobile, gateway, and internal, ... - gateway receives an ESP packet from mobile. ...
      (freebsd-net)
    • Re: Using racoon-negotiated IPSec with ipfw and natd
      ... > with ipfw and natd. ... I have 3 boxes, mobile, gateway, and internal, ... > - gateway decrypts and transmits an ICMP packet to internal with mobile's ... > address is gateway's external interface - not part of the SP. ...
      (FreeBSD-Security)
    • Re: Using racoon-negotiated IPSec with ipfw and natd
      ... > with ipfw and natd. ... I have 3 boxes, mobile, gateway, and internal, ... > - gateway decrypts and transmits an ICMP packet to internal with mobile's ... > address is gateway's external interface - not part of the SP. ...
      (freebsd-net)
    • Re: Home Network Setup Problem
      ... > can NOT ping 192.168.1.1 or access any outside internet. ... you need to tell machine B that it is a gateway. ... to get natd. ... Kent Stewart ...
      (freebsd-questions)
    • Re: Filtering packets based on incoming address [ack. plaintext now]
      ... > These are the only things before natd, ... Its wise to set those rules before you pass any ... packet to natd. ... ipclasses, its wise to block packets coming from those ipclasses via ...
      (FreeBSD-Security)