IPSec ESP via NAT FreeBSD HOWTO

1. Introduction

This document describes how to configure IPSec ESP via NAT using the FreeBSD operating system. This trick allows you to establish one IPSec ESP session via your FreeBSD firewall system without the need of connecting your IPSec client/gateway to Internet with a fixed IP address. One session means that you can have only one IPSec client/gateway inside your firewall - it may well have экскурсии в третьяковскую галерею multiple SA's to multiple IPsec hosts outside your network.

NAT here refers to port address translation - a spesial case on NAT in which only one public IP address is used to hide all the private addresses. In some NAT implementations, this is called as "masquerading" or "overloading".

Is is assumed that the reader understands the basic consepts of IPSec, such as IKE, ESP and AH and is capable of configuring firewall with FreeBSD.

1.1 Motivation

So why would you want to do that? The answer is simple: you have only one fixed IP address and for some reason, you cannot build the IPSec client/gateway in the FreeBSD firewall itself.

1.2 Why only one client/gateway?

Due to a port address translation, it is not easy to tell where the inbound ESP and IKE packets are intended to as they are all going to single IP address - the firewall itself. Remember, ESP is an IP protocol (such as TCP or UDP) and doesn't carry any information which could be used to map the connection reliably inside NAT (port numbers, for example). IKE is an UDP protocol that uses always destination and source port 500.

There are some other projects which are trying to overcome this limitation. Linux VPN Masquerade project has support of multiple IPSec/PPTP clients behind a NAT router. IETF standard solution for IPSec over NAT is called a NAT traversal. At least one commercial product, called SSH NAT Traversal Toolkit is capable of this. If you REALLY need to use multiple client/gateways, you should look at these alternatives.

1.3 What about AH?

AH cannot be used with NAT as it hashes some portions of the outer IP header (most importantly, source IP address) and the checksum failes due to a address translation.

2. Configuration

2.1 natd and libalias

In order to ESP-enable your NAT, you need to determine the versions of the natd and libalias. libalias is the actual library which performs the translation and natd is the userland interface to it. They are found under /usr/src/sbin/natd and /usr/src/lib/libalias. You did actually install the source packages?

OK, here are the guidelines for different versions of FreeBSD.

2.2 ipfw

You will also have to make sure that your firewall configuration actually pushes the right packets through the divert socket. If your configuration does this for all the packets (as in example from the natd man page), all is done.

However, here's some guidelines if you want to play with your firewall:


# Divert incoming IKE traffic from 10.10.10.1:
$fwcmd add divert natd udp from 10.10.10.1 to $firewall 500
$fwcmd add pass udp from 10.10.10.1 to $ipsec_gw 500

# Divert incoming ESP traffic:
$fwcmd add divert natd 50 from 10.10.10.1 to $firewall
$fwcmd add pass 50 from 10.10.10.1 to $ipsec_gw

fwcmd above is the path to your ipfw-command, firewall is the NAT machine and ipsec_gw is the IPSec client/gateway. 10.10.10.1 is the other end of the IPSec tunnel.


Copyright and Disclaimer

This document is copyright (c) 2001 of Jarkko Turkulainen. Redistribution of the document, with or without modification, is permitted provided that the redistribution retain the above copyright notice.

THE AUTHOR IS NOT RESPONSIBLE OF ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.

Feedback

Any feedback is welcome! Mail it to Sorry, you have to write it!.



Copyright (c) 2001 Jarkko Turkulainen. All rights reserved. Home