Subject: Re: NAT+IPF+IPsec?
To: Mipam <>
From: Teemu Rinta-aho <>
List: tech-net
Date: 05/30/2001 11:33:22
Thanks for the comments.

For clarification, what I would like is the following:

          |             +-------ESP-------+  |
          +  +--+       +-ESP-+     +-ESP-+  +
my_workstation  my_server     bastion     work_server

I have successfully configured the ESP tunnels above,
being able to access my work_server from my_server
just fine through various firewalls. The only thing is
that the network between my_workstation and my_server
uses private addresses, and my_workstation usually
uses NAT for Internet access.

I don't care to run IPsec directly from my_workstation to
anywhere at the moment, but I would like my_server
to tunnel the packets between my_workstation and
the work_server... Now if that should work, I probably
start trying to configure it!


On Tue, 29 May 2001, Mipam wrote:

> On Mon, May 28, 2001 at 10:19:47PM +0300, Teemu Rinta-aho wrote:
> > Hi all!
> >
> > I am running a server with NetBSD 1.5.1_BETA2. The server
> > is acting as a router between my home network and the
> > Internet. It is running DHCP, NAT and ipfilter. I am
> > also planning to build an ESP+AH tunnel to my office
> > network.
> Ai ... if i aint wrong, esp+ah in tunnel mode is not gonna work.
> See the documentation concerning ipsec on the web.
> Doing esp in tunnel mode is fine, but not both.
> For all i know this didnt change, could be wrong though.
> >
> > I need some clarification if this is possible or not.
> > I have two kinds of information from different documents.
> > One says, that packets are filtered AFTER address translation
> > for inbound packets, and BEFORE for outbound packets.
> Yup.
> >
> > Then src/CHANGES-1.5.1 says that ipfilter now looks
> > packets in native wire format, before IPsec processing
> > for inbound and after for outbound packets. Now when
> > is NAT done in this new architecture, if it can be
> > done at all, or do I have to buy yet another server?
> When there is spoken on ipf, you should read
> ipf+ipnat. Now ipf only looks in packets in native wire format.
> However, you still need to pass esp and ah traffic through,
> for else it's not gonna work.
> This enables you to use the nat/router machine also as ipsec border
> machine when you wish to create a tunnel between that machine and
> another router.
> The only thing one which i aint sure is, when you do ipsec in transport mode
> from a machine (with private ip) behind the nat machine, cause in that
> case nat needs to take place, even on the ipsec packets. But this
> is not your situation i guess.
> Concerning DHCP. Racoon doesnt support it, i believe isakmpd from openbsd does.
> Install it from pkgsrc/security/isakmpd.
> I heared some ppl in openbsd got it working.
> Never tried it myself with dhcp though.
> Bye,
> Mipam.

 Teemu Rinta-aho | | +358 40 562 3066