IPSec+VPN+ipfw questions

Oleg Semyonov os at front.ru
Mon Jun 23 22:52:59 PDT 2003

1. I'm using FreeBSD as a gateway+firewall which uses NAT (natd) to connect
internal LAN to the Internet. So, gateway_enable=YES is set because it is
required to use natd.

2. I prefer to use IPSec, and not a PPTP. As I can configure it on W2K using
AD policies, so I don't have to setup it manually using wizards or suchlike.

3. I have a LAN where some machines have to use FreeBSD as gateway to the
Internet, and some - no. All machines are in a common subnet, so physical
route cannot be disabled for those machines. I think there is no problem
here as I can set a VPN transport for some IP/MAC addresses and block all
traffic from others. Note there is no tunnel for subnet - W2K-to-FreeBSD
peer-to-peer only.

The real problem is that I need to look into each IPSec-transported packet
on the gateway machine after it is decrypted to divert it to natd. Also, I'm
using some of counters such as 'count tcp from me 3128 to peer' (Squid
traffic), etc. When all packets from local Squid are tunneled using IPSec
the rule above always shows 0 as packets are encapsulated into esp protocol
before captured by ipfw. And working rule will be 'count esp from me to
peer' which does not give any information about properties of packet (source
IP/port and so on).

So, the question was: how to look into and count (using ipfw) those packets
before they are encrypted by IPSec?

4. racoon is working, and, of course, I don't need the gif interface as I
don't create a tunnel for subnet. The problem I mentioned is that when
traffic flow stops for some time, and then it resumes, racoon or W2K machine
want rekeying, and sometimes there is a long  time delay before  the
rekeying takes place. I read this in FAQs and in fact I see the effect in my

I agree that some FAQs are not very accurate. All of them recommend to use
only MD5 hash with W2K machines but I really see the SHA1 hash which works.

Can you give some working example of racoon configuration which works fine
with W2K?

Thanks for the answers!

----- Original Message -----
From: "Brent Wiese" <brently at bjwcs.com>
To: "'Oleg Semyonov'" <os at front.ru>; <freebsd-questions at freebsd.org>
Sent: Tuesday, June 24, 2003 4:26 AM
Subject: RE: IPSec+VPN+ipfw questions

A few things come quickly to mind...

First, you need "gateway_enable=YES" in your rc.conf... I think. I know you
need it for MPD (pptp tunneling).

Second, you cannot have physical routes to the remote side "private"

> 1) Is it possible to use ipfw rules to count different kinds
> of traffic from legitimate computers, divert it to natd and
> block all other packets across the LAN? There are ESP
> protocol packets which I can filter, but it seems they are
> not processed after decryption by ipwf rules. So, no
> counters, no divert, etc.

You should use ipfw to, at the very least, only allow legit tunnel traffic
to pass to/from the "public" and "private" NICs/

> 2) What is the best solution for IKE daemon? I've tried
> racoon (it works but there are some strange situations with
> Windows 2000 machines which are mentioned somewhere), and
> isakmpd (it has not very obvious syntax for their policy and
> conf files - how to create a minimal working configuration
> for a number of peer machines which use different preshared
> keys for IKE exchange)?

Racoon works fine if set up correctly. Most of the FAQ's are wrong,
espcially when they discuss setting up gif() and then racoon. You don't need
gif(). I seem to remember something about using MD5 as the hash, but its
been a while... Maybe it was that my router only supported MD5 for its
vpn-passthru stuff...

> 3) In fact, it is not required for me to use VPN solutions.
> All I need is to authenticate each legitimate machine (or
> user - that is better). IP+MAC addresses may be forged. I can
> use socks proxy, but there is no standard secured
> authentication which is suported by number of different
> internet tools. And I don't wish to have a complicated setup
> of each client machine. So, VPN seems to be the best solution
> as their policies for W2K clients may be specified via Active
> Directory.

IPSEC is probably the best way. Since the other side is Windows, you may
consider using MPD and use PPTP instead of IPSEC. It's a little easier to
deal with on the Windows side since setup is all gui-wizards.


More information about the freebsd-questions mailing list