freebsd vpn server behind nat dsl router

Robert Johannes rjohanne at piper.hamline.edu
Wed Mar 7 23:15:02 UTC 2007 

On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:

> On Wed, Mar 07, 2007 at 12:04:17PM -0600, Robert Johannes wrote:
>> Thanks for your response.  My freebsd vpn servers are behind the dsl
>> routers at each site which.  The modems have firewall and NAT turned on.
>> The vpn servers are part of the local LANs, and I have port-forwarding
>> setup between the dsl modems and the vpn servers.  E.g, when traffic comes
>> from the internet destined for port 500, I forward that traffic to the vpn
>> servers (192.168.x.254 on the diagram).
>
> If your redirection only works for port 500, it won't be enough, as it
> will only allow IKE negociations, not encrypted traffic.
>
> You'll have to add forwarding for ESP protocol, or use NAT-T patch and
> also forward UDP 4500 port.

Yeah, I have been trying to figure out how to forward protocols 47, 50 and
51 to the vpns without knowing whether it is successful or not.  So, on to 
nat-t then.

>
>
>> The freebsd servers are not running a firewall or NAT at this point.  I
>> don't think they need to run NAT, but I haven't decided on the firewall
>> yet.
>>
>> So, given that situation, I don't know if the NAT changes to the kernel
>> you are suggesting below would help, since NAT is happening on the dsl
>> routers.  I am guessing my problem is between the vpn server and the dsl
>> router's NAT capability.  I have done a tcpdump on the gif interface, and
>> I can see the ping requests being made across it, but there's no response.
>> I don't even know if the traffic is making it beyond the vpn box, let
>> alone beyond the dsl modem.
>
> The NAT-T patch I was talking about adds the kernel part of an *IPSec*
> feature: support for NAT-Traversal extension (RFCs 3947 and 3948),
> which allows IPSec tunnels to be established if there is some NAT
> between IPSec gates.
>
> This is exactly your setup.

Cool.  My response above was based on not really understanding how nat 
played havoc on my vpn design.  It sounds like NAT-T is what I should be 
doing then.  Do you know if the patch was included in the 6.1 and 6.2 
releases?  Or perhaps in current/stable? It would be faster for me to 
reload, rather than making world; the machines I am working with are amd 
K6 500mhz cpus, with 186megs of ram.

>
> The tcpdump on your GIF interface will only show you that FreeBSD
> correctly routes the packet to that interface.....
>
>
>> About dynamic ip: The dsl routers have been configured to use the dyndns
>> service, and each time the ip address changes, dyndns is updated as well.
>
> You'll still have the problem "detecting when the peer's IP change".

I don't know yet how I will handle this; but I could probably create a 
script that monitors for change in the ip address, and re-initializes vpn 
services with the new ip.

>
>
>
> Yvan.
>
> -- 
> NETASQ
> http://www.netasq.com
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list