[ previous ] [ next ] [ threads ]
 From:  "Manuel Kasper" <mk at neon1 dot net>
 To:  "Michael DeMan" <michael at staff dot openaccess dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] pb9 released - IPsec VPN tunnels!
 Date:  Sat, 17 May 2003 22:41:06 +0200 (CEST)
Hi Michael,

> How did you handle integrating IPSec with NAT?
> We've had to use NATD on the 'inside' interface for this to work, are you
> using NATD or IPNAT?

m0n0wall uses ipnat; there don't seem to be any issues with NAT and IPsec,
but this is probably because the NAT rule generator specifies the source
address (LAN and DMZ subnet) instead of just 0/0 in the ipnat map rules...

> I looked at modifying the BSD kernel to switch the ordering on when IPNAT
> and IPSEC process packets to get it working correctly.

Well, I can tell you that I'm absolutely sick of fixed processing orders -
when you have ipfw, ipfilter, ipnat, IPsec and dummynet and use them all
at once, you have to keep inventing workarounds... Add to the fact that
the processing order is not well documented. I had to add pass rules for
ESP packets on WAN to ipfilter when IPsec is enabled - OK, that's what one
would expect. What nobody tells you is that the packets reappear on the
WAN interface after having been decrypted, but this time as ipencap
packets (IPv4-in-IPv4), so you have to pass those, too. This only seems to
happen with FAST_IPSEC and not with KAME IPSEC, though. Then they appear
on WAN once more with the real/internal source/destination addresses. And
finally, you have to pass (or keep state) them out of the LAN interface.
So IPsec packets go through ipfilter 4 times, and that doesn't help the
(IMHO bad) performance much...

- Manuel