IPSEC/NAT/Gateway Query

Karol Mares iso at atomicpile.sk
Sat Mar 13 08:48:39 PST 2004 

Hi there,

* Neil Fenemor (Neil at ts.co.nz) wrote:
> Hi all,
> 
> I currently have an issue of how "open" the whole WiFi tends to be, so,
> as all good people should do, I've started implementing a IPSec
> encryption system rather than the rather disappointing WEP.
> 
> I'm encrypting all data to and from the gateway, which isn't a problem.
> This was documented rather well all over the internet.
> 
> What I'm having an issue, is if the "client" has a range of RFC 1918
> addresses behind it, and I have to introduce NAT into the equation.
> 
> I've best tracked it down to the order that the kernel looks at the
> packets to decide what to do with it.
> 
> This is where I stand at the moment.
> 
> x.y.z.11 -> x.y.z.254             : works perfectly
> x.y.z.11 -> x.y.z.254 -> 0.0.0.0  : works perfectly
> rfc 1918 -> x.y.z.11 -> x.y.z.254 : Fails
> rfc 1918 -> x.y.z.11 -> x.y.z.254 -> 0.0.0.0 : Fails
> 
> The connection between x.y.z.11 and x.y.z.254 is there the IPSec takes
> place, and is the only part "off the wire" as it were.
> 
> The issue presents itself as the packet, from an rfc 1918 address, goes
> to the client box, gets inspected by the VPN rules, which are currently
> set to match on the external address of the client machine, and is
> subsequently overlooked by the VPN. The packet then goes on, gets NATed,
> and goes out as a unencrypted packet, from x.y.z.11. Thats a generally
> undesired transport mode.
> 
> On x.y.z.254, the packet goes back via the IPSec tunnel, but is then not
> un-NATed.
> 
> All I believe should be required, is for the RFC 1918 packet to be NATed
> to the external IP address, BEFORE it is inspected by the IPSec system.
> 
> So basically, all I'm really asking, is am I on the right line of
> thinking, or have I just gone off on a complete tangent to where I
> should be headed.
> 
> Any ideas/input would be greatly appreciated.
> 
> Regards
> 
> Neil Fenemor
> 
> Senior Systems Administrator
> ThePacific.net Ltd.
> 
> 
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

Do u use UDP-encapsulation? Coz when u use IPsec ESP, there is a
incompatability btw IPsec ESP and the NAT/PAT, also there is problem
with the checksum, the value of checksum is zero, so there is a little
imcompatibility with the NAT checksum functions.IPsec packet without
udp-encapsulation is like IP/esp/encrypted data/HA SH/ so there is and
error in esp, ipsec packet with udp-encapsulation looks like this:
IP/P a y l o a d/ - OK.

km

More information about the freebsd-hackers mailing list