Subject: IPSEC TUNNEL + NAT
To: None <port-i386@netbsd.org>
From: dkwok <dkwok@iware.com.au>
List: port-i386
Date: 05/17/2001 09:55:51
This is a multi-part message in MIME format.
------=_NextPart_000_0015_01C0DEB7.8E8A8CC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sorry this may be off topic.
I read the NetBSD doc about the IPsec and NAT. It says 1.5.1 will =
support NAT + IPSEC tunnelling. Has anyone successfully installed VPN =
gateways. My set up is:
192.168.1.2/24 (NAT)
|
|
192.168.1.1 (internal)
203.42.xxx.xxx (external)
|
|
| (Internet)
|
|
203.45.xxx.xxx (external)
192.168.2.1 (internal)
|
|
192.168.2.2/24 (NAT)
setkey config:
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec =
esp/tunnel/203.42.xxx.xxx-203.45.xxx.xxx/use;
spdadd 192.168.2.0/24 192.1681.0/24 any -P in ipsec =
esp/tunnel/203.45.xxx.xxx-203.42.xxx.xxx/use;
I can ping from 192.168.1.2 to 192.168.2.1 esp established ok.
I can ping from 192.168.1.2. to 203.42.xxx.xxx esp established ok
However I can't ping from 192.168.1.2 to 192.168.2.2. From tcpdump there =
is nothing coming through into the internal network.
My ipnat conf:
map 192.168.2.0/24 -> 203.42.xxx.xxx/32
My ipf.conf
pass in all
pass out all
Any comment or suggestion are welcome.
David Kwok
------=_NextPart_000_0015_01C0DEB7.8E8A8CC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Sorry this may be off =
topic.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I read the NetBSD doc about the IPsec =
and NAT. It=20
says 1.5.1 will support NAT + IPSEC tunnelling. Has anyone successfully=20
installed VPN gateways. My set up is:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>192.168.1.2/24 (NAT)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>192.168.1.1 (internal)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>203.42.xxx.xxx (external)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> | =
(Internet)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>203.45.xxx.xxx (external)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>192.168.2.1 (internal)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> |</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>192.168.2.2/24 (NAT)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>setkey config:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>spdadd 192.168.1.0/24 192.168.2.0/24 =
any -P out=20
ipsec esp/tunnel/203.42.xxx.xxx-203.45.xxx.xxx/use;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>spdadd 192.168.2.0/24 192.1681.0/24 any =
-P in ipsec=20
esp/tunnel/203.45.xxx.xxx-203.42.xxx.xxx/use;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I can ping from 192.168.1.2 to =
192.168.2.1 esp=20
established ok.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I can ping from 192.168.1.2. to =
203.42.xxx.xxx esp=20
established ok</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>However I can't ping from 192.168.1.2 =
to=20
192.168.2.2. From tcpdump there is nothing coming through into the =
internal=20
network.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>My ipnat conf:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>map 192.168.2.0/24 ->=20
203.42.xxx.xxx/32</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>My ipf.conf</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>pass in all</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>pass out all</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Any comment or suggestion are =20
welcome.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>David Kwok</FONT></DIV></BODY></HTML>
------=_NextPart_000_0015_01C0DEB7.8E8A8CC0--