NAT over IPSECed WLAN

Przemysław Szczygielski qus2 at go2.pl
Mon Jan 16 11:56:27 PST 2006 

Witaj Brian,

W Twoim liście datowanym 16 stycznia 2006 (16:04:32) można przeczytać:

> On Mon, Jan 16, 2006 at 02:30:08PM +0100, Przemyslaw Szczygielski wrote:
>> >     ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
>> >     ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"
>> > 
>> 
>> XP: (configured by wizard, from MMC):
>> 
>> "InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
>> ANY/0, dst IP: MY/0
>> 
>> "OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
>> MY/0, dst IP: ANY/0

> But if you've not given any tunnel endpoints, then you have configured
> *transport* mode, and that won't work for communicating with arbitary hosts
> on the Internet.

> Perhaps you've got tunnel mode (I guess you must if you have tunnel mode in
> your SPD), but I'd still prefer working from the command line. To get
> ipseccmd.exe run setup.exe from the \support\tools directory on the XP SP2
> CD.

Well - both ways work. The one from the wizard and the one by
ipseccmd. The difference is i don't know how to deactivate ipseccmd
filters ;-)

> Note that in XP you can give 'MY' as a policy source/destination ('0' in
> ipseccmd), but not as a tunnel endpoint. You must give the explicit IP
> address, as in the -t example above.

>> flush;
>> spdflush;
>> spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec
>> esp/tunnel/10.2.0.2-10.2.0.1/require;
>> spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec
>> esp/tunnel/10.2.0.1-10.2.0.2/require;

> 10.2.0.2/8 can never match any IP address, but perhap the kernel masks it
> silently to 10.0.0.0/8

Ah, my faut. That's corrected now. But didn't help.

>> > Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
>> > browse a website from the XP box, could be very enlightening.
>> > 
>> Ermmm... on ndis0 I can only see encrypted content, but haven't
>> tried fxp0, thought nothing interesting will be happening, as I
>> can't browse from XP...

> Not true. Seeing what packets are sent out to the Internet, even if nothing
> comes back, is definitely interesting. It would show, for example, if your
> NAT isn't working.

> Even if nothing at all goes out of fxp0, that is also interesting. It shows
> your tunnel is not configured correctly. (Presumably you do have IP
> forwarding turned on, since the gateway works in the absence of IPSEC)

> I suggest you don't "browse" from XP: start by sending pings. Then you have
> a steady stream of packets, and DNS doesn't get in the way either.

From XP I pinged 10.2.0.1 with IPSEC on

tcpdump -i ndis0 host 10.2.0.2 on 10.2.0.1 showed encrypted packets
tcpdump -i fxp0 host 10.2.0.2 on 10.2.0.1 showed nothing...

More information about the freebsd-net mailing list