ipfw, IPSec, and natd

Devin Heckman terrio at rescomp.berkeley.edu
Wed Jun 7 14:34:17 PDT 2006 

Hi,

Removing the ah requirement from my ipsec.conf did indeed solve the
problem, which makes me conclude that natd must be rewriting the ah in
such a way that IPSec can no longer decode it properly. This is
important, I suppose I'll shoot off an email to someone who does natd
work or a related group.

Thanks a bunch for your help.

Best,

--
Devin Heckman

On 13:58 Wed 07 Jun     , Toni Schmidbauer wrote:
> At Wed, 7 Jun 2006 01:35:16 -0700,
> Devin Heckman wrote:
> > has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox
> > when all three run at once with the "divert" rule enabled (if I'm right,
> > it's because natd is rewriting some information in packets which makes
> > IPSec decoding fail--but hopefully this isn't the case, as I wouldn't
> > know even how to begin fixing natd).
> > 
> > myrouter = 192.168.0.10, 10.0.0.1
> > mynatbox1 = 10.0.0.2
> > mynatbox2 = 10.0.0.3
> > mynfsbox = 192.168.0.11
> > 
> >                    IPSec
> >         mynfsbox <--------> myrouter
> >                                 | not IPSec
> >                                 |<---------> mynatbox1
> >                                 |<---------> mynatbox2
> > 
> > /usr/local/etc/ipsec.conf:
> > 
> > spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require;
> > spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require;
> 
> could your repost your excellent description to freebsd-question@? i am
> not that kind of an ipsec guru, my setup locks a bit different. for
> sure there are ipsec gurus on the ml.
> 
> your ipfw rules show that you divert every packet over sis0 to
> natd. i would try to specify only those addresses which should get
> rewritten by natd (in your case 192.168..). so packets sent from
> myrouter to mynfsbox do not pass natd.
> 
> another thing i would try is to disable ah (just remove
> ah/transport//require) from your ipsec.conf file. ah is not necessary
> for an encrypted connection, it provides protection against replay
> attacks. 
> 
> hth,
> toni
> -- 
> If you understand what you're doing, you're | toni at stderror dot at
> not learning anything.                      | Toni Schmidbauer
> -- Anonymous                                |
>

More information about the freebsd-net mailing list