tech-net: Re: ipsec/tunnel for private spaces... etc.

Subject: Re: ipsec/tunnel for private spaces... etc.
To: None <itojun@iijlab.net>
From: Nick Holmes <aaa48@dial.pipex.com>
List: tech-net
Date: 01/22/2001 15:37:26
At 10:44 AM 1/19/01 +0900, itojun@iijlab.net wrote:

> >>any clarification on this would be most useful
>
>         does it help you understand the current situation?
>         http://mail-index.netbsd.org/tech-net/2001/01/13/0008.html

Not really, unfortunately.

I added an IPNat configuration to take "map le0 10.0.0.0/8 -> 10.0.0.0/8" - 
prior to other maps on this ip block - theoretically saying "don't change 
these ones!" - or at least, so I figure... were this to work, I would also 
add the appropriate proxies.  .. however, the same halt occurred in data 
exchange accross the interface.

Basically, I need to find a way to make ipnat and ipf ignore all packets 
going to my other locations via the ipsec based vpn.

I need to be able to:

IPNat at both ends for data routing to "the internet at large"
IPF for internal systems at both ends, and permit rules for services on 
externally accessible (dmz) servers
IPSec for routing data to other offices - tunneling thru the internet cloud.

... ideally on one box.

I tried the gif0 tack to see if I could tunnel thru the ipf/ipnat - which 
seemed logical, but this didn't work either - it seems that ipnat and ipf 
seem to just envelop any part of anything connected to my external interface.

here are my configs:

ipnat.conf - A end:

map le0 10.0.0.0/8  -> 10.0.0.0/8

map le0 10.0.1.0/24 -> a.a.a.a/32 proxy port ftp ftp/tcp
map le0 10.0.1.0/24 -> a.a.a.a/32 portmap tcp/udp 40000:50000
map le0 10.0.1.0/24 -> a.a.a.a/32

ipnat.conf - B end:

map le0 10.0.0.0/8  -> 10.0.0.0/8

map le0 10.0.2.0/24 -> b.b.b.b/32 proxy port ftp ftp/tcp
map le0 10.0.2.0/24 -> b.b.b.b/32 portmap tcp/udp 40000:50000
map le0 10.0.2.0/24 -> b.b.b.b/32

... ipf - with equivalent alteration at the other end. [these are 
dislocated 'tho, so I fig. not that important at this point]

# make sure that the internal stuff cannont go thru the fw clean
# just to make sure!
pass out quick on gif0 from 10.0.1.0/24 to 10.0.11.0/24
pass out quick on gif0 from 10.0.1.0/24 to 10.0.2.0/24
block out quick on le0 from 10.0.1.0/24 to 10.0.0.0/8
#
# rules for the incoming traffic
#
pass in from any to any
#
# rules for outgoing - anything goes!
#
pass out from any to any


... and the ipsec settings - A end:

add a.a.a.a b.b.b.b esp 10002 -E blowfish-cbc "codea" ;
add b.b.b.b a.a.a.a esp 10005 -E blowfish-cbc "codeb" ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec 
esp/tunnel/a.a.a.a-b.b.b.b/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec 
esp/tunnel/b.b.b.b-a.a.a.a/require ;

conversely:

add a.a.a.a-b.b.b.b esp 10002 -E blowfish-cbc "codea";
add b.b.b.b-a.a.a.a esp 10005 -E blowfish-cbc "codeb";
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec 
esp/tunnel/b.b.b.b-a.a.a.a/require;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec 
esp/tunnel/a.a.a.a-b.b.b.b/require;

NB - these work fine (also with gif0 mappings in place of external interfaces.)

this is *really* doing my head in at the moment.

any help gratefully received!

nick