ipfw, IPSec, and natd

Devin Heckman terrio at rescomp.berkeley.edu
Wed Jun 7 01:50:03 PDT 2006 

Hi,

Here's a little diagram with some background on this network. "myrouter"
has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox
when all three run at once with the "divert" rule enabled (if I'm right,
it's because natd is rewriting some information in packets which makes
IPSec decoding fail--but hopefully this isn't the case, as I wouldn't
know even how to begin fixing natd).

myrouter = 192.168.0.10, 10.0.0.1
mynatbox1 = 10.0.0.2
mynatbox2 = 10.0.0.3
mynfsbox = 192.168.0.11

                   IPSec
        mynfsbox <--------> myrouter
                                | not IPSec
                                |<---------> mynatbox1
                                |<---------> mynatbox2

/usr/local/etc/ipsec.conf:

spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require;

Thanks for your response.

Best,


-- 
Devin Heckman

On 01:53 Wed 07 Jun     , Toni Schmidbauer wrote:
> At Mon, 5 Jun 2006 17:09:54 -0700,
> Devin Heckman wrote:
> > I recently tried to set up a computer to act as a NAT using FreeBSD 6.1. ipfw
> > functions as it should, as well as IPSec, but I've run into some problems when
> > setting up the NAT. I have two computers behind it, both of which do not need to
> > speak IPSec (and aren't configured to do so). The NAT computer should speak
> > IPSec with one other computer, from which it mounts home directories via NFS.
> 
> please show us your spd entries (/etc/ipsec.conf), and depict your
> network layout more clearly (e.g. sample ip-addresses for nat machine,
> nfs server, client machines...).
> 
> > When I enable natd, ipfw, and IPSec, the connection to the computer with which I
> > speak IPSec breaks, but the NAT functions properly.
> 
> if your ipsec packets get rewritten by natd ah will not work because of
> changes in the ip header by natd. but i'm not sure if this is your particular
> problem.
> 
> toni
> -- 
> If you understand what you're doing, you're | toni at stderror dot at
> not learning anything.                      | Toni Schmidbauer
> -- Anonymous                                |
>

More information about the freebsd-net mailing list