Subject: IPsec, NAT, and Firewalling
To: None <>
From: Dave Burgess <>
List: current-users
Date: 01/22/2001 17:17:08
I just finished a huge message to the IPsec FAQ folks, describing in
gory detail what I'm trying to do with a VPN here.  It sounds very
simple, but I've been at it for a month and I can't get it squared away.

I have the IPsec SAD and SPD set up correctly (as near as I can tell).

Here is the general setup (read this down, the original was WAY too

About 50 computers      192.168.0.x/24

+ NetBSD 1.5  

The Internet    

+ NetBSD 1.5  

About 2 computers      192.168.1.x/24

Simple right?  You'd think so.

- I have the SAD and SPD set up for the tunnel according to relatively
consistent instructions.  Only one place said this needed to be a
transport, all the rest said 'tunnel'.  It's a tunnel right now.  In
fact, it's set up exactly as documented in in "Tunnel Mode Between 2
Security Gateways".
- I have a gifN route set up for the tunnel traffic (which may or may
not be important now).  The IPsec FAQ at doesn't mention
a gif0 interface, but does demand some static routes.  I've tried it
both ways and don't see any traffic moving between.
- I have all the routes (according to "netstat -nr") that I expect to
see.  The route to the network points to, and points to
- I finally figured out that 'gifconfig' is the old syntax for 'ifconfig

The firewalls in the picture above are identical kernels, custom built
for this application.  I enabled GATEWAY, IPSEC, and IPSEC_ESP in the
kernels and built them.  GATEWAY is working since NAT is working.  IPSEC
and IPSEC_ESP are working because I can see the 'transport' mode
connection between my NMS and the FIREWALL running through IPsec

Things that may or may not make a difference:

1)  I'm running very restrictive firewalls, although I have the external
address of both firewalls full open into the other firewall.  With the
transport SAD and SPD in place, I can communicate between the two
firewalls without a problem.

2)  I'm running NAT on both firewalls so that we can get out to the
Internet from our internal network.

Any suggestions would be greatly appreciated at this point....