Subject: Re: ipsec/tunnel for private spaces... etc.
To: None <>
From: Nick Holmes <>
List: tech-net
Date: 01/18/2001 17:06:20

further to my previous message:

I have managed to get my two ends talking to one another, using ipsec. - 
but only when ipf and ipnat are not configured. - using a static shared secret.

Ipnat & Ipf _both_ stop it working... or at least, ipf does if I block 
private network numbers from the external interface, and ipnat does, 
whatever I do:

map le0 -> external/32 proxy port ftp ftp/tcp
map le0 -> external/32 portmap tcp/udp 40000:50000
map le0 -> external/32

... similarly, at the other end:

map le0 -> external/32 proxy port ftp ftp/tcp
map le0 -> external/32 portmap tcp/udp 40000:50000
map le0 -> external/32

I have also tried an ipsec tunnel in a gif0 tunnel - again, it works when 
ipnat and ipf are removed. (ie using a pseudo device to bypass the 
routing  limitations forced by ipf.) - under this circumstance, I can also 
see the tunnel popping at either end - apparently on the gif0.

I had assumed that there would be some sort of hierarchy to this, and that 
the layers, if assembled in the right sequence would allow the rules of 
each to cascade cleanly - ie ipnat for external name translation, ipf for 
all interactions, and ipsec for secured routing to the "far end":

assumed that: map le0 -> external/32 would only affect _direct_ 
routing connections thru le0
assumed that: block out quick on le0 from to  would 
also block the _direct_ routing to le0
... these working on the principle that the tunneled stuff was properly 
contained within (latterly) 2 different tunnels!

any clarification of how I can do this without having to have 2 systems, 
and god only knows how many interfaces would be _very_ useful


At 06:12 PM 1/17/01 +0000, you wrote:
>I am currently in the middle of a project to provide nat, ipf and ipsec 
>tunnleing for two networks within my company.
>One is in the UK, the other NY,
>each network has ipf and ipnat in place to provide internet access for 
>private network members
>UK is,
>NY is,
>[& singapore will be, but that comes later!]
>each netbsd box has 2 interfaces - no aliasing
>They have to communicate via the "cloud" of the internet, but with nat in 
>place there is no need to setup real ip numbers.
>At this point I am unsure if ipsec uses the tunneling interfaces 
>(tun,gre,gif), or if it is implicit in its' routing... the documentation 
>appears to define this neither one way, nor the other. Or, on the other 
>hand are interfaces aliased?
>any clarification on this would be most useful

Nick Holmes - Systems Director
Bluewave Ltd - Webspace Design and Management
Tel. +44 (0)207 706 3500