RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)

• Previous message: Crist J. Clark: "Re: IPSec VPN & NATD (problem with alias_address vs redirect_address)"
• Next in thread: Oldach, Helge: "RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
• Maybe reply: Oldach, Helge: "RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "'Crist J. Clark'" <cjc@freebsd.org>, "'freebsd-ipfw@freebsd.org'" <freebsd-ipfw@freebsd.org>, "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org>, "'freebsd-isp@freebsd.org'" <freebsd-isp@freebsd.org>
Date: Thu, 13 Nov 2003 16:55:01 -0500

But if I use this config file for natd:

unregistered_only
use_sockets
log
log_denied
redirect_address 192.168.1.50 208.x.y.120
redirect_address 192.168.1.51 208.x.y.121
redirect_address 192.168.1.52 208.x.y.122
redirect_address 192.168.1.53 208.x.y.123
alias_address 208.x.y.124

With this setup, I should be able to do 5 VPN IPSec connection at the same
time.
Since, the ESP packet coming on 208.x.y.120 is mapped directly to
192.168.1.50 and so on for the others using the redirect_address directive.
I also understand that I can use only one computer at a time for the others
using the alias_address (the rest of the network).

I'm currently using this setup. I can do only IPSec with the
192.168.1.10-25 witch is mapped by the alias_address. The computer using
the IP from 208.x.y.120-123 can't use the VPN and I don't know why.

Vincent

-----Original Message-----
From: Crist J. Clark [mailto:cristjc@comcast.net]
Sent: 13 novembre, 2003 16:16
To: Vincent Goupil
Cc: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org';
'freebsd-isp@freebsd.org'
Subject: Re: IPSec VPN & NATD (problem with alias_address vs
redirect_address)

On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote:
> I setup a firewall with ipfw2 and natd on freebsd 4.9 release.
>
> I have mapped my subnet with alias_address
> I have mapped 4 private ip address with 4 public ip address
>
> Everything is working fine (web, email, ftp, etc..) for outgoing and
> incoming connexion for anyone on my network.
>
> With this configuration, 5 person at a time (on my network) could dial to
> the same VPN server.
> 4 with different IP and the one with the alias_address. I supposed that
> only one person at a time can use the alias_address with the IPSec VPN (I
> think, tell me if I'm wrong)
[snip]

Nope, that's right. You can have only one machine behind natd(8) using
ESP at a time (you could actually have one AH and one ESP at the same
time, but since NAT breaks AH, what's the point?). The reason within
natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all
that it enters into its translation table is,

  IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr

The obvious problem is that you can only have one mapping like
this. If you had more than one, when you receive a packet of IPproto
from IPdst_addr, to which internal machine do you send it?

Now, that's why natd(8) has problems. Why not add a feature to natd(8)
to get around it? Because there is no way to get around the
problem. ESP packets have this nice SPI field that one could
potentially use to map the traffic between multiple machines behind
NAT to a single VPN end point on the other side, but there is no
practical way for the NAT box to learn the SPI of incoming packets.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Crist J. Clark: "Re: IPSec VPN & NATD (problem with alias_address vs redirect_address)"
• Next in thread: Oldach, Helge: "RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
• Maybe reply: Oldach, Helge: "RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) ... I should be able to do 5 VPN IPSec connection at the same ... the ESP packet coming on 208.x.y.120 is mapped directly to ... IPSec VPN & NATD (problem with alias_address vs ... (freebsd-isp) Re: stop installation ... Do you know if your VPN is an SSL VPN or IPsec VPN? ... Often times ISPs ... (microsoft.public.windowsxp.configuration_manage) Re: OpenVPN [was: IPSec VPN docs] ... Another thing you can try is another hardware IPSec VPN that I use today ... and prefer the service, documentation, and support over DLINK ... >>I'm trying to get a VPN setup between my FC1 box at home and a DLink ... (Fedora) Re: different ipsec inbound sessions thru nat ... >> My office has a 2811 acting as a Ipsec VPN gateway for roaming users. ... The translated WAN IP of your router is one IP, ... UPD packets port 4500 but then the 2nd connection never completes. ... (comp.dcom.sys.cisco)