[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Masquerading IPSec connections on FreeBSD?

To: Brian Candler <B.Candler at pobox.com>
Subject: Re: Masquerading IPSec connections on FreeBSD?
From: Patrick J Okui <pokui at one2net.co.ug>
Date: 06 Sep 2002 10:23:45 +0300
Cc: afnog at afnog.org
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: afnog-outgoing at afnog.org
Delivered-To: afnog at afnog.org
In-Reply-To: <20020904234225.A4485 at uk.tiscali.com>
References: <20020904202212.4762D68C46 at mail.one2netmail.co.ug> <20020904234225.A4485 at uk.tiscali.com>
Sender: owner-afnog at afnog.org

Hi Brian,
On Thu, 2002-09-05 at 01:42, Brian Candler wrote:
> 
> Well, FreeBSD can do masquerading (NAT) and it also has reliable IPSEC
> support in the kernel. I've used both in anger.
> 
> IMO the problems you are likely to come across are:
> 
> 1. mixing masquerading and IPSEC on the same box; and
> 2. if you are interoperating with Windows IPSEC clients, getting key
> exchange and client authentication to work.
<snip>
Thanks for that, I will need it for yet another installation that had
baffled be :-(...

Anyhow, in this case, what I am trying to set up is a gateway/firewall
that I can use (even say on the machine which does masquerading for my
dial up clients) so that I do not need to know about the remote IPSEC
servers... but just allow tunnels to be set up by the windows (or other)
IPSEC client THROUGH my firewall/gateway and finally to whatever IPSEC
server their client communicates with. The set up of what I would want
is somewhat like this.

	windows IPSEC client(By Galileo)
	(private ip address)		  <=======
		||				||
		||				||
	Un*x Gateway/Firewall			||
	(clients global IP address)		|| tunnel is set up 
		||				|| seamlessly between
		||				|| these two machines
		||				|| just as if the win
	     INTERNET				|| machine had a global
		||				|| ip address.
		||				||
	Remote IPSEC server (Galileo software)<===
	(Global IP address)

So, the problem I was having is that on linux, this setup would not work
for the IPSEC client - which would claim that the remote server is not
replying... (since its packets were being dropped). The question is, how
do I get FreeBSD to work as the Firewall - AND correctly pass the IPSEC
packets... unless I misunderstood your reply...

Is this possible or am I just dreaming? :-)

Patrick
-- 
Patrick J Okui
Systems Administrator
One2Net (U) Ltd

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

Follow-Ups:
- Re: Masquerading IPSec connections on FreeBSD?
  - From: Brian Candler <B.Candler at pobox.com>

References:
- Masquerading IPSec connections on FreeBSD?
  - From: Patrick J.Okui <pokui at one2net.co.ug>
- Re: Masquerading IPSec connections on FreeBSD?
  - From: Brian Candler <B.Candler at pobox.com>
- Re: Masquerading IPSec connections on FreeBSD?
  - From: Brian Candler <B.Candler at pobox.com>

Prev by Date: Updated DNS monitoring, take 2
Next by Date: Re: Masquerading IPSec connections on FreeBSD?
Prev by thread: Re: Masquerading IPSec connections on FreeBSD?
Next by thread: Re: Masquerading IPSec connections on FreeBSD?
Index(es):
- Date
- Thread