Re: OT - NAT on IPsec
Il giorno 14 set 2006, alle ore 13:27, Andrea Mistrali ha scritto: Hi to all!, sorry for being a little bit OT, but maybe you could answer my question :) I have a customer that uses 192.168.0.0/24 on his LAN and is protected by a firewall based on OpenBSD 3.6 with PF. He needs to bring up an IPSEC tunnel to another entity with ISAKMPD and I am the consultant that should make evetyrhing work. This other entity already has a tunnel to another more LAN that uses 192.168.0.0/24 and asks me to NAT in some way the private addresses of my customer. I tried to assing an IP address to enc0 interface (and it works), then I put a nat on enc0 from $LAN to $ENTITY - enc0 and it works, but I need to bring up two flows, one for 192.168.0.0/24 and one for 192.168.13.0/24 (that is the address range I would like to use for NAT), because if I bring up only the flow for 192.168.13/24 packets coming from 192.168.0/24 would not be matched and would not pass through enc0. This is, practitally, of no use except for experimental tests. Does anyone have some good idea or had the same problem??? TIA Andrea I worked hard on it and found the solution. Since I have seen many posts on Internet about this without a good response here you are the procedure: 1) create a lo1 interface, giving it the address we will use for NATting our Private LAN ifconfig lo1 192.168.113.254 2) add a static route to the remote private lan by the way of lo1 address route add 10/8 192.168.113.254 3) configure NAT in pf.conf for interface lo1: nat on lo1 from $LAN to $REMOTE_LAN - lo1 4) don't use generic keep state on enc0, but use it only for ipencap pass quick on enc0 proto ipencap all keep state pass quick on enc0 5) configure an IPSEC tunnel between lo1 address (or network) and remote private LAN I hope this helps Andre
OT - NAT on IPsec
Hi to all!, sorry for being a little bit OT, but maybe you could answer my question :) I have a customer that uses 192.168.0.0/24 on his LAN and is protected by a firewall based on OpenBSD 3.6 with PF. He needs to bring up an IPSEC tunnel to another entity with ISAKMPD and I am the consultant that should make evetyrhing work. This other entity already has a tunnel to another more LAN that uses 192.168.0.0/24 and asks me to NAT in some way the private addresses of my customer. I tried to assing an IP address to enc0 interface (and it works), then I put a nat on enc0 from $LAN to $ENTITY - enc0 and it works, but I need to bring up two flows, one for 192.168.0.0/24 and one for 192.168.13.0/24 (that is the address range I would like to use for NAT), because if I bring up only the flow for 192.168.13/24 packets coming from 192.168.0/24 would not be matched and would not pass through enc0. This is, practitally, of no use except for experimental tests. Does anyone have some good idea or had the same problem??? TIA Andrea
Re: Problems with state syncronisation
Il giorno 14 feb 2005, alle 18:06, Ryan McBride ha scritto: On Mon, Feb 14, 2005 at 10:20:44AM +0100, Andrea Mistrali wrote: Those lines are always relative to broadcast addresses. What can it be? If a packet reaches both firewalls, they will both create state; when they each recieve the state creation message from the other, the state already exists and the insertion fails. You can ignore the messages, or modify your ruleset so that broadcast packets don't create synchronised states. Yeah! You're right! How stupid I'm :)) Thanks Andrea
Problems with state syncronisation
Hi to all! I have two firewalls configured in fail over, using OpenBSD 3.6, carp and pfsync. Since I'have upgraded all of them to 3.6 I see lines like this in syslog: Feb 14 10:16:23 fw-2 /bsd: pf: state insert failed: tree_lan_ext lan: xxx.xxx.xxx.255:138 gwy: xxx.xxx.xxx.255:138 ext: xxx.xxx.xxx.199:138 (from sync) Feb 14 10:16:26 fw-2 /bsd: pf: state insert failed: tree_lan_ext lan: xxx.xxx.xxx.255:138 gwy: xxx.xxx.xxx.255:138 ext: xxx.xxx.xxx.3:138 (from sync) Feb 14 10:16:26 fw-2 /bsd: pf: state insert failed: tree_lan_ext lan: xxx.xxx.xxy.255:137 gwy: xxx.xxx.xxy.255:137 ext: xxx.xxx.xxy.10:137 (from sync) Feb 14 10:16:27 fw-2 /bsd: pf: state insert failed: tree_lan_ext lan: xxx.xxx.xxy.255:137 gwy: xxx.xxx.xxy.255:137 ext: xxx.xxx.xxy.10:137 (from sync) Feb 14 10:16:27 fw-2 /bsd: pf: state insert failed: tree_lan_ext lan: xxx.xxx.xxy.255:137 gwy: xxx.xxx.xxy.255:137 ext: xxx.xxx.xxy.10:137 (from sync) Those lines are always relative to broadcast addresses. What can it be? TIA -- Andrea Mistrali I.NET 2 s.r.l. I.NET Group: Managed Internet Connectivity