freebsd vpn server behind nat dsl router
rjohanne at piper.hamline.edu
Wed Mar 7 23:22:33 UTC 2007
On Wed, 7 Mar 2007, Tom Judge wrote:
> Robert Johannes wrote:
>> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
>>>> My situations is rather unique, and I am needing an expert's eyes to
>>>> glance at it and confirm whether it is doable or not. I have a simple
>>>> diagram that illustrates what I am trying to do, and it is located here
>>>> (about 40k): http://www.hamline.edu/~rjohanne/lan.jpg
>>> I'm not sure I understood exactly what you want to do, but I think
>>> your setup is really common.
>>>> In the diag, the dsl modems have dynamic public ips on the internet side,
>>>> and private ips on the lan side.
>>> If both DSL modems have dynamic IPs, you'll have a first problem:
>>> being able to know the correct IP of your peer, then a second problem:
>>> being able to detect when peer's IP change.
>>> I'll consider you are able to do that.
>>>> As you can see in the diag, I am trying to have the vpn traffic from the
>>>> internet forwarded to the Freebsd vpn (the machines ending in .254 on
>>>> site). I have followed the Freebsd "VPN over Ipsec" in the handbook, and
>>>> created a tunnel between the two vpn servers; according to the handbook,
>>>> should be able to ping the vpn servers using their private network
>>>> addresses, but I am not able to do that. I realize that my
>>>> is not exactly like the handbook's, but what do I need to do to get it to
>>>> work? I have googled, and researched all over the net without much
>>>> I have seen a lot of messages related to nat and enabling vpn passthrough
>>>> on different dsl modems and so forth, which I have tried to do, but
>>>> no progress.
>>> Some informations:
>>> - FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just
>>> forget that part and use directly IPSec tunnels without Gif
>>> - You'll probably need NAT-T support so your VPN tunnel will be more
>>> likely to work (well, it may work without NAT-T, but it is more
>>> complex and needs lots of constraints between both FreeBSD gates).
>>> Make a quick seach on freebsd-net, get the kernel patch from
>>> http://ipsec-tools.sf.net/freebsd6-natt.diff, recompile your kernel
>>> with NAT-T support, reinstall your world, then recompile/reinstall
>>> ipsec-tools port.
>>> - When your tunnel will be up, you'll probably want to lower the
>>> TCPMSS for traffic which goes through the tunnel, but this is
>>> another story :-)
>> Thanks for your response. My freebsd vpn servers are behind the dsl
>> routers at each site which. The modems have firewall and NAT turned on.
>> The vpn servers are part of the local LANs, and I have port-forwarding
>> setup between the dsl modems and the vpn servers. E.g, when traffic comes
>> from the internet destined for port 500, I forward that traffic to the vpn
>> servers (192.168.x.254 on the diagram).
>> The freebsd servers are not running a firewall or NAT at this point. I
>> don't think they need to run NAT, but I haven't decided on the firewall
>> So, given that situation, I don't know if the NAT changes to the kernel you
>> are suggesting below would help, since NAT is happening on the dsl routers.
>> I am guessing my problem is between the vpn server and the dsl router's NAT
>> capability. I have done a tcpdump on the gif interface, and I can see the
>> ping requests being made across it, but there's no response. I don't even
>> know if the traffic is making it beyond the vpn box, let alone beyond the
>> dsl modem.
>> About dynamic ip: The dsl routers have been configured to use the dyndns
>> service, and each time the ip address changes, dyndns is updated as well.
>> So, any other insight into this situation?
> If you are using IPSec with ESP as per the handbook you will need to NAT the
> ESP packets back to the internal VPN routers. As ESP is IP payload protocol
> not a TCP/UDP payload protocol, your DSL router will probably not be able to
> do this.
Looking into adding nat-t to ipsec as we speak.
> I would suggest you go with Yvan's suggestion of doing away with gif and
> adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP
> based vpn solution such as openvpn (in ports and http://openvpn.net/) which
> will be fully compatible with you nat setup, openvpn will also be tolerant to
> remote end points changing ip address half while the vpn link is active,
> comes in hand when used in combination with a dynamic dns service).
As far as openvpn goes, I looked into it in October or Nov. last year, and
it seemed not to be very scalable; I have 6 different offices that all
need to connect and chat with each other, and it didn't seem like openvpn
would allow for this to happen. I didn't investigate it much beyond that
when I learned that.
More information about the freebsd-security