Using racoon-negotiated IPSec with ipfw and natd

Crist J. Clark cristjc at comcast.net
Thu Oct 30 14:43:28 PST 2003 

On Thu, Oct 30, 2003 at 03:05:09PM -0600, Mark Johnston wrote:
> [ -netters, please Cc me or security@ with replies. ]
> 
> I'm running into trouble integrating dynamic racoon-based IPSec into a network
> with ipfw and natd.  I need to be able to allow VPN access from any address
> from authenticated clients.  I've got the dynamic VPN working, with racoon
> negotiating SAs and installing SPs, but the problem is that I can't tell
> whether an incoming packet on the internal interface should go through natd or
> not.
> 
> The problem looks like this.  I have 3 boxes, mobile, gateway, and internal,
> and I'm trying to ping internal from mobile.
> 
> - gateway receives an ESP packet from mobile (encapsulating a ping).
> - gateway decrypts and transmits an ICMP packet to internal with mobile's
>   source address.
> - internal generates the ICMP response to mobile.
> - gateway receives the response, runs it through natd, and sends it out in the
>   clear to mobile with gateway's source address.
> 
> The packet is going out in the clear because after natd rewrites it, its source
> address is gateway's external interface - not part of the SP.

This shouldn't happen. IPsec processing of the outgoing packet happens
_before_ it gets passed to ipfw(8) (which hands it to natd(8)) on the
external interface.

> What I want to
> accomplish, in pseudo-ipfw, is this:
> 
> pass esp from any to me
> pass ip from known-sp-sources to 192.168.0.0/24
> pass ip from 192.168.0.0/24 to known-sp-destinations
> divert natd from 192.168.0.0/24 to any

This may be your problem. That rule should be something like,

  divert natd from 192.168.0.0/24 to any via ${external_if}

Is that what you actually have? Are you doing NAT on the internal
interface? That would confuse things.

> deny ip from any to 192.168.0.0/24
> pass ip from me to any keep-state
> 
> All I'm missing is the known-sp definitions.  If anyone has any pointers on
> doing this, please share.  If I'm going about it totally bass-ackwards, I'd
> like to hear that too.  :)
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org

More information about the freebsd-net mailing list