[ previous ] [ next ] [ threads ]
 
 From:  Michael DeMan <michael at staff dot openaccess dot org>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>, James Wilson <jwilson at openaccess dot org>
 Subject:  Re: [m0n0wall] pb9 released - IPsec VPN tunnels!
 Date:  Sat, 17 May 2003 13:49:21 -0700
This is good to hear.  I had to hack pb8 to add IPSec and fire up NATD for a
VPN for a customer.  Their Seattle office is still waiting on DSL so I can
mail out flash cards to them if this all works right on pb9.

Two of us here messed around with IPNAT and IPSec and just gave up a couple
of months ago completely.

On 5/17/03 1:41 PM, "Manuel Kasper" <mk at neon1 dot net> wrote:

> Hi Michael,
> 
>> How did you handle integrating IPSec with NAT?
>> 
>> We've had to use NATD on the 'inside' interface for this to work, are you
>> using NATD or IPNAT?
> 
> m0n0wall uses ipnat; there don't seem to be any issues with NAT and IPsec,
> but this is probably because the NAT rule generator specifies the source
> address (LAN and DMZ subnet) instead of just 0/0 in the ipnat map rules...
> 
>> I looked at modifying the BSD kernel to switch the ordering on when IPNAT
>> and IPSEC process packets to get it working correctly.
> 
> Well, I can tell you that I'm absolutely sick of fixed processing orders -
> when you have ipfw, ipfilter, ipnat, IPsec and dummynet and use them all
> at once, you have to keep inventing workarounds... Add to the fact that
> the processing order is not well documented. I had to add pass rules for
> ESP packets on WAN to ipfilter when IPsec is enabled - OK, that's what one
> would expect. What nobody tells you is that the packets reappear on the
> WAN interface after having been decrypted, but this time as ipencap
> packets (IPv4-in-IPv4), so you have to pass those, too. This only seems to
> happen with FAST_IPSEC and not with KAME IPSEC, though. Then they appear
> on WAN once more with the real/internal source/destination addresses. And
> finally, you have to pass (or keep state) them out of the LAN interface.
> So IPsec packets go through ipfilter 4 times, and that doesn't help the
> (IMHO bad) performance much...
> 
> - Manuel
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
Fax 360-738-9785
michael at staff dot openaccess dot org