NAT over IPSECed WLAN
Przemyslaw Szczygielski
qus2 at o2.pl
Mon Jan 16 05:30:10 PST 2006
> A diagram helps lots. Tell me if this is correct:
>
> \|/ - - - - - - - \|/
> | |
> 10.2.0.2 10.2.0.1 ndis0
> WinXP FreeBSD 6.0
> client x.x.x.x fxp0
> |
> +---------------> Internet
>
> <==================>
IPSEC tunnel mode? + NAT!!!!
But plus NAT. Exactly.
> How have you configured IPSEC:
> (a) on the Windows XP box? and
> (b) on the FreeBSD box?
>
> I think you should be running IPSEC tunnel mode, so I'm guessing
at the
> Windows XP side you have something like:
>
> ipseccmd -f 0=* -t 10.2.0.1 -a PRESHARE:"foo"
> ipseccmd -f *=0 -t 10.2.0.2 -a PRESHARE:"foo"
>
XP: (configured by wizard, from MMC):
"InboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
ANY/0, dst IP: MY/0
"OutboundIPsec" prot: ANY, src port: ANY, dst port: ANY, src IP:
MY/0, dst IP: ANY/0
> And at the FreeBSD side you have in /etc/ipsec.conf
>
> spdflush;
> spdadd 10.2.0.2/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.2.0.2-10.2.0.1/require;
> spdadd 0.0.0.0/0 10.2.0.2/32 any -P out ipsec
esp/tunnel/10.2.0.1-10.2.0.2/require;
>
BSD:
flush;
spdflush;
spdadd 10.2.0.2/8 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.2.0.2-10.2.0.1/require;
spdadd 0.0.0.0/0 10.2.0.2/8 any -P out ipsec
esp/tunnel/10.2.0.1-10.2.0.2/require;
> Also, the output of 'tcpdump' on both ndis0 and fxp0, while you try to
> browse a website from the XP box, could be very enlightening.
>
Ermmm... on ndis0 I can only see encrypted content, but haven't
tried fxp0, thought nothing interesting will be happening, as I
can't browse from XP...
More information about the freebsd-net
mailing list