Filtering on IPSEC
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Thu Jan 12 07:55:46 UTC 2012
On 12. Jan 2012, at 07:29 , Alex Dupre wrote:
> Bjoern A. Zeeb ha scritto:
>> Need more input. A) why are using gif? B) are you using transport mode?
>
> I'm using gif, because the official FreeBSD documentation says so (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html). My configuration is very similar to what described in that page. If that's not the correct way, I'll fix the documentation after understanding the right procedure.
It's not and hasn't been in ... I think there was someone fixing the documentation actually lately... I'll ping people and see where that went.
> I'm using tunnel mode for network to network vpn.
If you are using tunnel mode and gif you'll have trouble; just use tunnel mode without gif and you'll be happy.
>> NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter.
>
> Can you elaborate a little more about the reason ipfw can and pf cannot? Is it because with ipfw/nat the packet is reinjected with the translated src IP and so matched by SPD? Currently, with my setup and pf, I faced exactly these two problems (SPD match before translation and i/o on different interfaces).
It's because (our) pf cannot NAT on incoming but only on outgoing interfaces. And you need to NAT on packet entry into the system...
> I think it's not so uncommon that the two networks may collide, so assigning a "good" ip to one endpoint gateway and making NAT on it should be well documentated in our handbook. If you give me a hint on how this could be achieved with ipfw I'll update the docs accordingly.
The answer is use IPv6 and ... oh wait.. not the answer you wanted to hear;)
I haven't done it in probably 5 years or so now but basically you setup the nat on the incoming (probably your inside) interface and take care of localhost as much as needed.
/bz
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
More information about the freebsd-net
mailing list