Subject: questions regarding nat, ipf, and ipsec
To: None <netbsd-users@netbsd.org>
From: Erik Osheim <erik@plastic-idolatry.com>
List: netbsd-users
Date: 08/26/2004 14:17:17 
Hello,

I am interested in setting up a VPN tunnel between my work machine and my home network using IPSEC, and using this as my default route. There are many reasons to do this, including:

 1. our company's web proxy is almost never working properly
 2. the dns servers are often down
 3. i could have access to other machines on my home network which do not have public IPs.

Since our IT was outsourced, we have no control over the networking situation, which is why I want to do VPN.

I read the NetBSD/IPSEC FAQ [1], which was quite informative. It alluded to problematic interactions between IPSEC and IPF. Specifically, it says:

"Please do not try to configure a single node with ipf(4) filtering rules, and IPsec tunnel mode processing (like 'NAT and IPsec gateway in one box')."

However, the document also alludes to improvements which will be available in NetBSD 1.5.1 and beyond, which might simplify the interaction between IPSEC and IPF.

I have a server running NetBSD-1.6.2/i386. I'm pretty sure it has packet forwarding and ipsec compiled into its kernel, and if not, I can do that. It is currently running ipf to do packet filtering, almost entirely on inbound packets. My belief is that I should be able to write new ipf rules which will pass through IPSEC packets on the ethernet device, and then more rules to be applied to the IPSEC tunnel devices (gif or ipip) which permit the (decrypted) traffic I want.

Does anyone see a problem with this? If so, do I need to pass traffic through this server to another box which only does IPSEC/VPN routing??

My next question has to do with the client setup. My client is being NAT'd at least once. Can I establish the IPSEC tunnel through NAT, or do I have to have a publically accessible IP address for the client machine in order to do this (the server does have a public, static IP address). What I would like is for all TCP and UDP packets between my home network and my workstation to be tunneled through an existing IPSEC TCP connection (which could be maintained using NAT). I believe this is what is meant by "tunnel mode" in the IPSEC FAQ. However, I am not entirely clear on whether this is what happens.

Any information regarding any part of this process would be appreciated. I can furnish more details on request. I am on the list, but if anyone feels like a reply would be off-topic, please feel free to email me directly.

Thanks,

-- Erik

[1] http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction

[2] my network setup:

workstation
   priv IP                     ...home net...
       |                             |
???corp net???                     priv IP
       |                        home server (NetBSD 1.6.2)
    pub IP  ----> internet <-----  pub IP