Re: freebsd vpn server behind nat dsl router
- From: Robert Johannes <rjohanne@xxxxxxxxxxxxxxxxx>
- Date: Wed, 7 Mar 2007 17:14:37 -0600 (CST)
On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote:Thanks for your response. My freebsd vpn servers are behind the dsl
routers at each site which. The modems have firewall and NAT turned on.
The vpn servers are part of the local LANs, and I have port-forwarding
setup between the dsl modems and the vpn servers. E.g, when traffic comes
from the internet destined for port 500, I forward that traffic to the vpn
servers (192.168.x.254 on the diagram).
If your redirection only works for port 500, it won't be enough, as it
will only allow IKE negociations, not encrypted traffic.
You'll have to add forwarding for ESP protocol, or use NAT-T patch and
also forward UDP 4500 port.
Yeah, I have been trying to figure out how to forward protocols 47, 50 and
51 to the vpns without knowing whether it is successful or not. So, on to nat-t then.
The freebsd servers are not running a firewall or NAT at this point. I
don't think they need to run NAT, but I haven't decided on the firewall
yet.
So, given that situation, I don't know if the NAT changes to the kernel
you are suggesting below would help, since NAT is happening on the dsl
routers. I am guessing my problem is between the vpn server and the dsl
router's NAT capability. I have done a tcpdump on the gif interface, and
I can see the ping requests being made across it, but there's no response.
I don't even know if the traffic is making it beyond the vpn box, let
alone beyond the dsl modem.
The NAT-T patch I was talking about adds the kernel part of an *IPSec*
feature: support for NAT-Traversal extension (RFCs 3947 and 3948),
which allows IPSec tunnels to be established if there is some NAT
between IPSec gates.
This is exactly your setup.
Cool. My response above was based on not really understanding how nat played havoc on my vpn design. It sounds like NAT-T is what I should be doing then. Do you know if the patch was included in the 6.1 and 6.2 releases? Or perhaps in current/stable? It would be faster for me to reload, rather than making world; the machines I am working with are amd K6 500mhz cpus, with 186megs of ram.
The tcpdump on your GIF interface will only show you that FreeBSD
correctly routes the packet to that interface.....
About dynamic ip: The dsl routers have been configured to use the dyndns
service, and each time the ip address changes, dyndns is updated as well.
You'll still have the problem "detecting when the peer's IP change".
I don't know yet how I will handle this; but I could probably create a script that monitors for change in the ip address, and re-initializes vpn services with the new ip.
_______________________________________________
Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- freebsd vpn server behind nat dsl router
- From: Robert Johannes
- Re: freebsd vpn server behind nat dsl router
- From: VANHULLEBUS Yvan
- Re: freebsd vpn server behind nat dsl router
- From: Robert Johannes
- Re: freebsd vpn server behind nat dsl router
- From: VANHULLEBUS Yvan
- freebsd vpn server behind nat dsl router
- Prev by Date: Re: freebsd vpn server behind nat dsl router
- Next by Date: Re: freebsd vpn server behind nat dsl router
- Previous by thread: Re: freebsd vpn server behind nat dsl router
- Next by thread: Re: freebsd vpn server behind nat dsl router
- Index(es):
Relevant Pages
|
