IPSec, ipfw, and natd

Devin Heckman terrio at rescomp.berkeley.edu
Fri Jun 2 16:14:53 PDT 2006


I recently tried to set up a computer to act as a NAT using FreeBSD 6.1. ipfw
functions as it should, as well as IPSec, but I've run into some problems when
setting up the NAT. I have two computers behind it, both of which do not need to
speak IPSec (and aren't configured to do so). The NAT computer should speak
IPSec with one other computer, from which it mounts home directories via NFS.

When I enable natd, ipfw, and IPSec, the connection to the computer with which I
speak IPSec breaks, but the NAT functions properly (can ping everything except
the IPSec-speaking NFS server).

My ipfw rules look like this:

$cmd 0001 allow udp from any to any isakmp
$cmd 0002 allow esp from $ipsec_servers to me
$cmd 0003 allow ah from $ipsec_servers to me
$cmd 0004 divert natd all from any to any via sis0


$cmd 0015 allow icmp from any to any
$cmd 9900 allow all from me to any
$cmd 9910 allow all from any to any established
$cmd 9999 deny log all from any to me

And natd.conf, which is called when natd is started in the rc scripts, looks
like this:

port 8668
interface sis0
log yes

Does anyone have any experience with problems such as this?

Feel free to ask for anything else that may clarify the problem.


Devin Heckman

More information about the freebsd-questions mailing list