NAT over IPSECed WLAN
Brian Candler
B.Candler at pobox.com
Mon Jan 16 04:45:40 PST 2006
On Mon, Jan 16, 2006 at 11:13:32AM +0100, Przemyslaw Szczygielski wrote:
> Well, for me the config is so complex, that I doubt anyone will
> waste time on going into my config files, but, well... There's
> always hope...
A diagram helps lots. Tell me if this is correct:
\|/ - - - - - - - \|/
| |
10.2.0.2 10.2.0.1 ndis0
WinXP FreeBSD 6.0
client x.x.x.x fxp0
|
+---------------> Internet
<==================>
IPSEC tunnel mode?
> I have a working setup that has working NAT ("Client" sees Internet
> throuogh NAT on "Gateway", configured as default gateway on
> Windows), when IPSEC is turned off.
>
> I also have working IPSEC between these two machines (they can ping
> each other) but then NAT stops working (but "Gateway" still connects
> to the Internet, so i.e. I can putty from "Client" to "Gateway", it
> goes through IPESECed WLAN, and from putty use Lynx to browse. But
> can't browse internet on "Client".
>
> So to make it short: IPSEC working = no NAT. IPSEC off = NAT working.
It's possible that IPSEC isn't configured properly, since you have IPSEC
only ever working between the two endpoints.
How have you configured IPSEC:
(a) on the Windows XP box? and
(b) on the FreeBSD box?
I think you should be running IPSEC tunnel mode, so I'm guessing at the
Windows XP side you have something like:
ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"
And at the FreeBSD side you have in /etc/ipsec.conf
spdflush;
spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/10.2.0.2-10.2.0.1/require;
spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec esp/tunnel/10.2.0.1-10.2.0.2/require;
Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
browse a website from the XP box, could be very enlightening.
Regards,
Brian.
More information about the freebsd-net
mailing list