current-users: IPsec, NAT, and Firewalling

Subject: IPsec, NAT, and Firewalling
To: None <current-users@netbsd.org>
From: Dave Burgess <burgess@neonramp.com>
List: current-users
Date: 01/22/2001 17:17:08
I just finished a huge message to the IPsec FAQ folks, describing in
gory detail what I'm trying to do with a VPN here.  It sounds very
simple, but I've been at it for a month and I can't get it squared away.

I have the IPsec SAD and SPD set up correctly (as near as I can tell).

Here is the general setup (read this down, the original was WAY too
wide):

About 50 computers      192.168.0.x/24

Firewall                192.168.0.1
+ NetBSD 1.5            204.248.21.50

The Internet            204.248.22.129  

Firewall                204.248.21.62
+ NetBSD 1.5            192.168.1.1

About 2 computers      192.168.1.x/24

Simple right?  You'd think so.

- I have the SAD and SPD set up for the tunnel according to relatively
consistent instructions.  Only one place said this needed to be a
transport, all the rest said 'tunnel'.  It's a tunnel right now.  In
fact, it's set up exactly as documented in
http://www.kame.net/newsletter/19991007 in "Tunnel Mode Between 2
Security Gateways".
- I have a gifN route set up for the tunnel traffic (which may or may
not be important now).  The IPsec FAQ at www.netbsd.org doesn't mention
a gif0 interface, but does demand some static routes.  I've tried it
both ways and don't see any traffic moving between.
- I have all the routes (according to "netstat -nr") that I expect to
see.  The route to the network 192.168.1.0 points to 192.168.1.1, and
192.168.1.1 points to 192.168.0.1.
- I finally figured out that 'gifconfig' is the old syntax for 'ifconfig
tunnel'. 

The firewalls in the picture above are identical kernels, custom built
for this application.  I enabled GATEWAY, IPSEC, and IPSEC_ESP in the
kernels and built them.  GATEWAY is working since NAT is working.  IPSEC
and IPSEC_ESP are working because I can see the 'transport' mode
connection between my NMS and the FIREWALL running through IPsec
encryption.

Things that may or may not make a difference:

1)  I'm running very restrictive firewalls, although I have the external
address of both firewalls full open into the other firewall.  With the
transport SAD and SPD in place, I can communicate between the two
firewalls without a problem.

2)  I'm running NAT on both firewalls so that we can get out to the
Internet from our internal network.

Any suggestions would be greatly appreciated at this point....

Dave