Hello,
I have an interesting little problem trying to mix Freeswan and NAT together in
an environment. Yes, I know quite well this is a bad idea and should be avoided
like the plague (IPSEC is all about packet integrity, while NAT is all about
mangling packets), but I can't really avoid the issue.
Basically, here is the situation. I have an IPSEC box located in a NAT framework
where it is reachable from the outside world (obviously, masquerading would be a
problem). Let's say the external address is 10.0.0.2 (we'll pretend that's an
internet routable address to protect the real address) and the internal address
is something like 192.168.2.2. The diagram is something like this
INTERNET --------- NAT --------------- IPSEC
10.0.0.2 192.168.2.2
The IPSEC box will also be running Opportunism (yes, it gets more complicated),
and I've discovered that I've hit a bit of a conceptual wall here.
In order to do tunnels to remote machines, I need to set up the tunnel locally
to use the external address in its eroute like so
10.0.0.2/32 -> 18.181.0.31/32 tunx...
In addition, using opportunism will add lines like
10.0.0.2/32 -> 0.0.0.0/0 %trap
10.0.0.2/32 -> 10.5.6.7/32 %pass
The reason why I use the external address (and setup ipsec.conf accordingly) is
that if I use the internal address, the other end of the tunnel out there on the
internet gets confused to receive my internal address when it knows the external
one, and it obviously can't use my internal address to setup the tunnel. On a
machine without opportunism, I also add iptables rule to mangle outgoing packets
to be from the external address before they go into the tunnel (KLIPS matches
packets to tunnels by BOTH the source and destination address), and I add an
alias so the machine will accept demultiplexed packets from ipsec0 that are to
its external address. However, it gets more complicated with opportunism, since
I don't know who has a tunnel or not. And this only works because my NAT
firewall is pretty nice about receiving packets on its internal segment with the
external address as the source (I don't know if other hardware is as generous).
It seems like I need to be able to do the following for outgoing packets
1. Mangle the source address of the packet to be the external one
2. Send the packet to KLIPS. If there is a tunnel, KLIPS creates an encrypted
packet. Otherwise, KLIPS creates a %pass route and sends the packet on.
3. Mangle the packet from KLIPS back to having the internal IP address as the
source. Put it on the wire.
This would work, but it would involve doing iptables-based packet mangling
before AND after KLIPS. Is this even possible or not? Also, am I correct that
this would work, or am I barking up the wrong tree? And if it's not possible to
do that, is there another way to get away with it? I've been running around in
circles the last few days on this and would love if anybody can put an end to my
misery here. Your help is much appreciated. Thanks.
Yours,
Jake
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST