Re: freebsd vpn server behind nat dsl router
- From: VANHULLEBUS Yvan <vanhu_bsd@xxxxxxxxxx>
- Date: Wed, 7 Mar 2007 18:06:17 +0100
On Wed, Mar 07, 2007 at 09:59:44AM -0600, Robert Johannes wrote:
Hello Greg,
I am writing you, because I saw your responses to a couple of messages on
the freebsd-security mailing list related to freebsd vpn and nat.
Well, I'm not Greg, but hi, and here are some informations :-)
My situations is rather unique, and I am needing an expert's eyes to
glance at it and confirm whether it is doable or not. I have a simple
diagram that illustrates what I am trying to do, and it is located here
(about 40k): http://www.hamline.edu/~rjohanne/lan.jpg
I'm not sure I understood exactly what you want to do, but I think
your setup is really common.
In the diag, the dsl modems have dynamic public ips on the internet side,
and private ips on the lan side.
If both DSL modems have dynamic IPs, you'll have a first problem:
being able to know the correct IP of your peer, then a second problem:
being able to detect when peer's IP change.
I'll consider you are able to do that.
As you can see in the diag, I am trying to have the vpn traffic from the
internet forwarded to the Freebsd vpn (the machines ending in .254 on each
site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and
created a tunnel between the two vpn servers; according to the handbook, I
should be able to ping the vpn servers using their private network
addresses, but I am not able to do that. I realize that my implementation
is not exactly like the handbook's, but what do I need to do to get it to
work? I have googled, and researched all over the net without much
progress.
I have seen a lot of messages related to nat and enabling vpn passthrough
on different dsl modems and so forth, which I have tried to do, but still,
no progress.
Some informations:
- FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just
forget that part and use directly IPSec tunnels without Gif
interfaces.
- You'll probably need NAT-T support so your VPN tunnel will be more
likely to work (well, it may work without NAT-T, but it is more
complex and needs lots of constraints between both FreeBSD gates).
Make a quick seach on freebsd-net, get the kernel patch from
http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel
with NAT-T support, reinstall your world, then recompile/reinstall
ipsec-tools port.
- When your tunnel will be up, you'll probably want to lower the
TCPMSS for traffic which goes through the tunnel, but this is
another story :-)
Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: IPSec tunnel interfaces (was: freebsd vpn server behind nat dsl router)
- From: Jeremie Le Hen
- Re: freebsd vpn server behind nat dsl router
- From: Robert Johannes
- Re: IPSec tunnel interfaces (was: freebsd vpn server behind nat dsl router)
- References:
- freebsd vpn server behind nat dsl router
- From: Robert Johannes
- freebsd vpn server behind nat dsl router
- Prev by Date: freebsd vpn server behind nat dsl router
- Next by Date: Re: freebsd vpn server behind nat dsl router
- Previous by thread: freebsd vpn server behind nat dsl router
- Next by thread: Re: freebsd vpn server behind nat dsl router
- Index(es):
Relevant Pages
|
|
