At Wed, 7 Jun 2006 01:35:16 -0700,
Devin Heckman wrote:
> has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox
> when all three run at once with the "divert" rule enabled (if I'm right,
> it's because natd is rewriting some information in packets which makes
> IPSec decoding fail--but hopefully this isn't the case, as I wouldn't
> know even how to begin fixing natd).
>
> myrouter = 192.168.0.10, 10.0.0.1
> mynatbox1 = 10.0.0.2
> mynatbox2 = 10.0.0.3
> mynfsbox = 192.168.0.11
>
> IPSec
> mynfsbox <--------> myrouter
> | not IPSec
> |<---------> mynatbox1
> |<---------> mynatbox2
>
> /usr/local/etc/ipsec.conf:
>
> spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec esp/transport//require ah/transport//require;
> spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require ah/transport//require;
could your repost your excellent description to freebsd-question@? i am
not that kind of an ipsec guru, my setup locks a bit different. for
sure there are ipsec gurus on the ml.
your ipfw rules show that you divert every packet over sis0 to
natd. i would try to specify only those addresses which should get
rewritten by natd (in your case 192.168..). so packets sent from
myrouter to mynfsbox do not pass natd.
another thing i would try is to disable ah (just remove
ah/transport//require) from your ipsec.conf file. ah is not necessary
for an encrypted connection, it provides protection against replay
attacks.
hth,
toni
--
If you understand what you're doing, you're | toni at stderror dot at
not learning anything. | Toni Schmidbauer
-- Anonymous |