Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
IPSec ESP via NAT FreeBSD HOWTO
IPSec ESP via NAT FreeBSD HOWTO
1. Introduction
This document describes how to configure IPSec ESP via NAT using the
FreeBSD operating system. This trick
allows you to establish one IPSec ESP session via your FreeBSD firewall
system without the need of connecting your IPSec client/gateway to Internet
with a fixed IP address. One session means that you can have only one IPSec
client/gateway inside your firewall - it may well have экскурсии в третьяковскую галерею multiple SA's
to multiple IPsec hosts outside your network.
NAT here refers to port address translation - a spesial case on NAT in
which only one public IP address is used to hide all the private addresses.
In some NAT implementations, this is called as "masquerading" or "overloading".
Is is assumed that the reader understands the
basic consepts of IPSec, such as IKE, ESP and AH and is capable of
configuring firewall with FreeBSD.
1.1 Motivation
So why would you want to do that? The answer is simple: you have only one
fixed IP address and for some reason, you cannot build the IPSec client/gateway
in the FreeBSD firewall itself.
1.2 Why only one client/gateway?
Due to a port address translation, it is not easy to tell where the inbound
ESP and IKE packets are intended to as they are all going to single IP
address - the firewall itself. Remember, ESP is an IP protocol (such as TCP
or UDP) and doesn't carry any information which could be used to map the
connection reliably inside NAT (port numbers, for example). IKE is an UDP
protocol that uses always destination and source port 500.
There are some other projects which are trying to overcome this limitation.
Linux VPN
Masquerade project has support of multiple IPSec/PPTP clients behind
a NAT router.
IETF standard solution for IPSec over NAT is called a NAT traversal.
At least one commercial product, called
SSH NAT Traversal
Toolkit is capable of this. If you REALLY need to use multiple
client/gateways, you should look at these alternatives.
1.3 What about AH?
AH cannot be used with NAT as it hashes some portions of the outer IP header
(most importantly, source IP address) and the checksum failes due to a address
translation.
2. Configuration
2.1 natd and libalias
In order to ESP-enable your NAT, you need to determine the versions of the
natd and libalias. libalias is the actual library which performs the
translation and natd is the userland interface to it. They are found under
/usr/src/sbin/natd and /usr/src/lib/libalias. You did actually
install the source packages?
OK, here are the guidelines for different versions of FreeBSD.
- FreeBSD-4.2 and later
In FreeBSD-4.2 and later, all the necessary software are already in place.
All you have to do is to start the daemon with the following parameters:
# redirect ESP traffic to 192.168.1.1
redirect_proto 50 192.168.1.1
# redirect IKE traffic to host 192.168.1.1
redirect_port udp 192.168.1.1:isakmp isakmp
|
- FreeBSD-3.x - FreeBSD-4.1.1
This is somewhat difficult as operating system doesn't provide all the
features "out-of-the-box". You can do it the easy way: crab the
sources of the FreeBSD-4.2 natd and libalias, compile and install them
and configure as above.
Or, you can do it the hard way: install my patches,
compile as usual and configure natd with the following parameters:
# redirect ESP traffic to 192.168.1.1
espalias 192.168.1.1
# redirect IKE traffic to host 192.168.1.1
redirect_port udp 192.168.1.1:isakmp isakmp
|
2.2 ipfw
You will also have to make sure that your firewall configuration actually pushes
the right packets through the divert socket. If your configuration does this
for all the packets (as in example from the natd man page), all is done.
However, here's some guidelines if you want to play with your firewall:
# Divert incoming IKE traffic from 10.10.10.1:
$fwcmd add divert natd udp from 10.10.10.1 to $firewall 500
$fwcmd add pass udp from 10.10.10.1 to $ipsec_gw 500
# Divert incoming ESP traffic:
$fwcmd add divert natd 50 from 10.10.10.1 to $firewall
$fwcmd add pass 50 from 10.10.10.1 to $ipsec_gw
|
fwcmd above is the path to your ipfw-command, firewall
is the NAT machine and ipsec_gw is the IPSec client/gateway.
10.10.10.1 is the other end of the IPSec tunnel.
Copyright and Disclaimer
This document is copyright (c) 2001 of Jarkko Turkulainen.
Redistribution of the document, with or without modification, is permitted
provided that the redistribution retain the above copyright notice.
THE AUTHOR IS NOT RESPONSIBLE OF ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN
BASED ON THE INFORMATION IN THIS DOCUMENT.
Feedback
Any feedback is welcome! Mail it to 
.
Copyright (c) 2001 Jarkko Turkulainen. All rights reserved.
Home