Subject: picking source address for PCBs
To: None <>
From: Michael Richardson <>
List: tech-net
Date: 10/04/2001 18:54:23

  I have managed to get a "road-warrior" tunnel up between my notebook
and my file server. I have:
    A.30    A.20

  They are normally on the same subnet.
  When they are not, I want to configure an IPsec tunnel like:
       outer src = random-IP
       outer dst = A.30
       inner src = A.20
       inner dst = A.30

  This proves to be difficult. While I can build a series of SPD entries
with setkey that mark ICMP, UDP and TCP to go into the tunnel (!proto 51
would be better, but isn't there I think), I can not get the inner src set
  When talking to a subnet that was behind a gateway (with the outer dst not
on the same subnet), I just did:

       ifconfig lo0 inet A.20 alias
       route add -net subnet A.20

  That solved the problem.

  I was able to this for inner == outer by picking a different outer.
  I gave the file server a new alias (A.18) and setup my tunnel to that.
(Btw, I use the "generate_policy on" to get things to work)

  This works for ping. 

  This did not work for SSH or telnet (I fixed this via:
       	ProxyCommand nc -s A.20 %h %p in .ssh/config)

  I can do rpcbind -p on the file server (yes, I sometimes have enough
bandwidth to do NFS), but showmount and mount fail. 

  I happen to be presently at an associates' place where his firewall will
give me a real IP address on the wavelan, but it also blocks all non-IPsec
related stuff.

  What I would like to do is to create a new route option. One that
basically says everything a normal host/net route does, but also says
"use X as the source address". I know that this may not play well with
certain deamons. That would get rid of the "route/alias" trick.


  (I do not really want to muck with IPF. There might be something I could
do, but I don't know what offhand)
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys