Re: Using racoon-negotiated IPSec with ipfw and natd
From: Crist J. Clark (cristjc_at_comcast.net)
Date: 10/30/03
- Previous message: Mark Johnston: "Using racoon-negotiated IPSec with ipfw and natd"
- In reply to: Mark Johnston: "Using racoon-negotiated IPSec with ipfw and natd"
- Next in thread: Mark Johnston: "(long) Re: Using racoon-negotiated IPSec with ipfw and natd"
- Reply: Mark Johnston: "(long) Re: Using racoon-negotiated IPSec with ipfw and natd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Oct 2003 14:43:42 -0800 To: security@freebsd.org, net@freebsd.org
On Thu, Oct 30, 2003 at 03:05:09PM -0600, Mark Johnston wrote:
> [ -netters, please Cc me or security@ with replies. ]
>
> I'm running into trouble integrating dynamic racoon-based IPSec into a network
> with ipfw and natd. I need to be able to allow VPN access from any address
> from authenticated clients. I've got the dynamic VPN working, with racoon
> negotiating SAs and installing SPs, but the problem is that I can't tell
> whether an incoming packet on the internal interface should go through natd or
> not.
>
> The problem looks like this. I have 3 boxes, mobile, gateway, and internal,
> and I'm trying to ping internal from mobile.
>
> - gateway receives an ESP packet from mobile (encapsulating a ping).
> - gateway decrypts and transmits an ICMP packet to internal with mobile's
> source address.
> - internal generates the ICMP response to mobile.
> - gateway receives the response, runs it through natd, and sends it out in the
> clear to mobile with gateway's source address.
>
> The packet is going out in the clear because after natd rewrites it, its source
> address is gateway's external interface - not part of the SP.
This shouldn't happen. IPsec processing of the outgoing packet happens
_before_ it gets passed to ipfw(8) (which hands it to natd(8)) on the
external interface.
> What I want to
> accomplish, in pseudo-ipfw, is this:
>
> pass esp from any to me
> pass ip from known-sp-sources to 192.168.0.0/24
> pass ip from 192.168.0.0/24 to known-sp-destinations
> divert natd from 192.168.0.0/24 to any
This may be your problem. That rule should be something like,
divert natd from 192.168.0.0/24 to any via ${external_if}
Is that what you actually have? Are you doing NAT on the internal
interface? That would confuse things.
> deny ip from any to 192.168.0.0/24
> pass ip from me to any keep-state
>
> All I'm missing is the known-sp definitions. If anyone has any pointers on
> doing this, please share. If I'm going about it totally bass-ackwards, I'd
> like to hear that too. :)
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Mark Johnston: "Using racoon-negotiated IPSec with ipfw and natd"
- In reply to: Mark Johnston: "Using racoon-negotiated IPSec with ipfw and natd"
- Next in thread: Mark Johnston: "(long) Re: Using racoon-negotiated IPSec with ipfw and natd"
- Reply: Mark Johnston: "(long) Re: Using racoon-negotiated IPSec with ipfw and natd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
