IPSEC with IPNAT conundrum

Carl Morley carlm at webize.com.au
Wed Jun 25 12:18:11 PDT 2003 

Hello All,
Below is a question I posted to the ipfilter mail list, but the silence
was deafening... Apologies for the 'not very isp' problem on this list.
I track this list and thought someone might be able to shed some light.
Even if it is 'this is not feasible'!

I have set up an IPSEC connection from company (A) to another (B) by
connecting from (A)'s FreeBSD 4.8-STABLE firewall running IPFILTER &
IPNAT plus racoon to (B)'s Watchguard Firebox SOHO6.  All works well
when connecting *one* subnet at (A) to the subnet at (B).

But the (A) network is quite extensive, comprising many private subnets.
To expect the IPSEC connected companies eg (B) to maintain a list of
(A)'s
subnets so that the IPSEC policies work is not practical.  So I figured
that companies like (B) should just see (A) as one subnet - and (A)
would
NAT on the firewall.  Was that an OK idea?  Seemed easy enough at the
time...

OK - the set up is this....

Private IP   |    (A)   |    |          |    |    (B)   |   Private IP
subnets at---| FIREWALL |----| INTERNET |----| FIREWALL |---subnet at
company (A)  |          |    |          |    |          |   company(B)

Firewall (B) is expecting all IPSEC traffic to be coming from the public
IP address on Firewall (A), as tunnelled private IP subnet
10.99.99.0/30 to (B)'s private IP address subnet 192.168.100.0/24.

I am trying to NAT all the internal subnets at (A) to 10.99.99.1.  But
it does not seem to work whichever way I try.

Questions:

1.  On which interface should I alias the 10.99.99.1 IP on Firewall (A).
Choices seem to be internal (fxp2), external (fxp1), loopback (lo0) or
some gif0 combination with the above.  Any other suggestions?  BTW,
usually I would not bother with using the gif interfaces with racoon.
All the IPSEC tunnels I have set up to date have been single subnet to
single subnet.  Wondered if mucking about with the gif i/f might help
with the NAT issue.  Except I cannot seem to get IPNAT to discern a
clear direction of traffic flow on the gif's that I have set up thus
far.

2.  Having completed step 1, what should my NAT rule(s) look like?
Given that they should be policy based (I think), eg. If connecting to
(B) use this NAT rule.

Looking forward to *any* pointers!

Regards,
Carl.

More information about the freebsd-isp mailing list