Re: ipfw, IPSec, and natd


Removing the ah requirement from my ipsec.conf did indeed solve the
problem, which makes me conclude that natd must be rewriting the ah in
such a way that IPSec can no longer decode it properly. This is
important, I suppose I'll shoot off an email to someone who does natd
work or a related group.

Thanks a bunch for your help.


Devin Heckman

On 13:58 Wed 07 Jun , Toni Schmidbauer wrote:
At Wed, 7 Jun 2006 01:35:16 -0700,
Devin Heckman wrote:
has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox
when all three run at once with the "divert" rule enabled (if I'm right,
it's because natd is rewriting some information in packets which makes
IPSec decoding fail--but hopefully this isn't the case, as I wouldn't
know even how to begin fixing natd).

myrouter =,
mynatbox1 =
mynatbox2 =
mynfsbox =

mynfsbox <--------> myrouter
| not IPSec
|<---------> mynatbox1
|<---------> mynatbox2


spdadd any -P out ipsec esp/transport//require ah/transport//require;
spdadd any -P in ipsec esp/transport//require ah/transport//require;

could your repost your excellent description to freebsd-question@? i am
not that kind of an ipsec guru, my setup locks a bit different. for
sure there are ipsec gurus on the ml.

your ipfw rules show that you divert every packet over sis0 to
natd. i would try to specify only those addresses which should get
rewritten by natd (in your case 192.168..). so packets sent from
myrouter to mynfsbox do not pass natd.

another thing i would try is to disable ah (just remove
ah/transport//require) from your ipsec.conf file. ah is not necessary
for an encrypted connection, it provides protection against replay

If you understand what you're doing, you're | toni at stderror dot at
not learning anything. | Toni Schmidbauer
-- Anonymous |

freebsd-net@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"