Re: ipfw, IPSec, and natd



Hi,

Removing the ah requirement from my ipsec.conf did indeed solve the
problem, which makes me conclude that natd must be rewriting the ah in
such a way that IPSec can no longer decode it properly. This is
important, I suppose I'll shoot off an email to someone who does natd
work or a related group.

Thanks a bunch for your help.

Best,

--
Devin Heckman

On 13:58 Wed 07 Jun , Toni Schmidbauer wrote:
At Wed, 7 Jun 2006 01:35:16 -0700,
Devin Heckman wrote:
has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox
when all three run at once with the "divert" rule enabled (if I'm right,
it's because natd is rewriting some information in packets which makes
IPSec decoding fail--but hopefully this isn't the case, as I wouldn't
know even how to begin fixing natd).

myrouter = 192.168.0.10, 10.0.0.1
mynatbox1 = 10.0.0.2
mynatbox2 = 10.0.0.3
mynfsbox = 192.168.0.11

IPSec
mynfsbox <--------> myrouter
| not IPSec
|<---------> mynatbox1
|<---------> mynatbox2

/usr/local/etc/ipsec.conf:

spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require;

could your repost your excellent description to freebsd-question@? i am
not that kind of an ipsec guru, my setup locks a bit different. for
sure there are ipsec gurus on the ml.

your ipfw rules show that you divert every packet over sis0 to
natd. i would try to specify only those addresses which should get
rewritten by natd (in your case 192.168..). so packets sent from
myrouter to mynfsbox do not pass natd.

another thing i would try is to disable ah (just remove
ah/transport//require) from your ipsec.conf file. ah is not necessary
for an encrypted connection, it provides protection against replay
attacks.

hth,
toni
--
If you understand what you're doing, you're | toni at stderror dot at
not learning anything. | Toni Schmidbauer
-- Anonymous |

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Interaction between ipfw, IPSEC and natd
    ... Is there any documentation on how ipfw, natd and IPSEC interact with each ... when packets are re-injected by natd, where in the whole system are they ... subnets of 10.0.0.0/8 are behind the 'private' interface and also the ...
    (FreeBSD-Security)
  • Re: Interaction between ipfw, IPSEC and natd
    ... > Is there any documentation on how ipfw, natd and IPSEC interact with each ... > - when packets are re-injected by natd, where in the whole system are they ...
    (FreeBSD-Security)
  • Re: ipfw, IPSec, and natd
    ... it's because natd is rewriting some information in packets which makes ... know even how to begin fixing natd). ... not that kind of an ipsec guru, my setup locks a bit different. ...
    (freebsd-net)
  • Re: natd not translating?
    ... I was wondering about bypassing natd for internal only traffic. ... divert 8668 ip4 from not me to not me via ep0 ... That rule will work with packets from inside going out, but as above, ... ipfw add count ip4 from any to any out recv $diverted ...
    (freebsd-questions)
  • Re: cannot ftp to my freebsd gateway/server
    ... and alter the source IP on packets entering ... are unlikely to be changed by natd. ... > have only the SYN flag set, and then allowing all the rest of them too. ... > The first rule will handle it fine, but again I'd add keep-state. ...
    (comp.unix.bsd.freebsd.misc)