Subject: IPsec, NAT, and Firewalling
To: None <firstname.lastname@example.org>
From: Dave Burgess <email@example.com>
Date: 01/22/2001 17:17:08
I just finished a huge message to the IPsec FAQ folks, describing in
gory detail what I'm trying to do with a VPN here. It sounds very
simple, but I've been at it for a month and I can't get it squared away.
I have the IPsec SAD and SPD set up correctly (as near as I can tell).
Here is the general setup (read this down, the original was WAY too
About 50 computers 192.168.0.x/24
+ NetBSD 1.5 220.127.116.11
The Internet 18.104.22.168
+ NetBSD 1.5 192.168.1.1
About 2 computers 192.168.1.x/24
Simple right? You'd think so.
- I have the SAD and SPD set up for the tunnel according to relatively
consistent instructions. Only one place said this needed to be a
transport, all the rest said 'tunnel'. It's a tunnel right now. In
fact, it's set up exactly as documented in
http://www.kame.net/newsletter/19991007 in "Tunnel Mode Between 2
- I have a gifN route set up for the tunnel traffic (which may or may
not be important now). The IPsec FAQ at www.netbsd.org doesn't mention
a gif0 interface, but does demand some static routes. I've tried it
both ways and don't see any traffic moving between.
- I have all the routes (according to "netstat -nr") that I expect to
see. The route to the network 192.168.1.0 points to 192.168.1.1, and
192.168.1.1 points to 192.168.0.1.
- I finally figured out that 'gifconfig' is the old syntax for 'ifconfig
The firewalls in the picture above are identical kernels, custom built
for this application. I enabled GATEWAY, IPSEC, and IPSEC_ESP in the
kernels and built them. GATEWAY is working since NAT is working. IPSEC
and IPSEC_ESP are working because I can see the 'transport' mode
connection between my NMS and the FIREWALL running through IPsec
Things that may or may not make a difference:
1) I'm running very restrictive firewalls, although I have the external
address of both firewalls full open into the other firewall. With the
transport SAD and SPD in place, I can communicate between the two
firewalls without a problem.
2) I'm running NAT on both firewalls so that we can get out to the
Internet from our internal network.
Any suggestions would be greatly appreciated at this point....