Subject: Re: ipsec/tunnel for private spaces... etc.
To: None <firstname.lastname@example.org>
From: Nick Holmes <email@example.com>
Date: 01/18/2001 17:06:20
further to my previous message:
I have managed to get my two ends talking to one another, using ipsec. -
but only when ipf and ipnat are not configured. - using a static shared secret.
Ipnat & Ipf _both_ stop it working... or at least, ipf does if I block
private network numbers from the external interface, and ipnat does,
whatever I do:
map le0 10.0.1.0/24 -> external/32 proxy port ftp ftp/tcp
map le0 10.0.1.0/24 -> external/32 portmap tcp/udp 40000:50000
map le0 10.0.1.0/24 -> external/32
... similarly, at the other end:
map le0 10.0.2.0/24 -> external/32 proxy port ftp ftp/tcp
map le0 10.0.2.0/24 -> external/32 portmap tcp/udp 40000:50000
map le0 10.0.2.0/24 -> external/32
I have also tried an ipsec tunnel in a gif0 tunnel - again, it works when
ipnat and ipf are removed. (ie using a pseudo device to bypass the
routing limitations forced by ipf.) - under this circumstance, I can also
see the tunnel popping at either end - apparently on the gif0.
I had assumed that there would be some sort of hierarchy to this, and that
the layers, if assembled in the right sequence would allow the rules of
each to cascade cleanly - ie ipnat for external name translation, ipf for
all interactions, and ipsec for secured routing to the "far end":
assumed that: map le0 10.0.2.0/24 -> external/32 would only affect _direct_
routing connections thru le0
assumed that: block out quick on le0 from 10.0.2.0/24 to 10.0.0.0/8 would
also block the _direct_ routing to le0
... these working on the principle that the tunneled stuff was properly
contained within (latterly) 2 different tunnels!
any clarification of how I can do this without having to have 2 systems,
and god only knows how many interfaces would be _very_ useful
At 06:12 PM 1/17/01 +0000, you wrote:
>I am currently in the middle of a project to provide nat, ipf and ipsec
>tunnleing for two networks within my company.
>One is in the UK, the other NY,
>each network has ipf and ipnat in place to provide internet access for
>private network members
>UK is 10.0.1.0/24,
>NY is 10.0.2.0/24,
>[& singapore will be 10.0.3.0/24, but that comes later!]
>each netbsd box has 2 interfaces - no aliasing
>They have to communicate via the "cloud" of the internet, but with nat in
>place there is no need to setup real ip numbers.
>At this point I am unsure if ipsec uses the tunneling interfaces
>(tun,gre,gif), or if it is implicit in its' routing... the documentation
>appears to define this neither one way, nor the other. Or, on the other
>hand are interfaces aliased?
>any clarification on this would be most useful
Nick Holmes - Systems Director
Bluewave Ltd - Webspace Design and Management
Tel. +44 (0)207 706 3500