isakmpd, preventing subnet clashing using NAT

Sat, 03 Dec 2005 11:39:46 -0800 

hello people,
i'm trying to setup a vpn between us and our ASP. they've assigned us "their own" private rfc11918 addresses, from which they want us to connect from. basically our topology looks like depicted below: 

our_internal <--> our_fw <--> internet <--> ASP_peer <--> ASP_internal

"our_internal" is 192.168.A.A/24
"our_fw" with 82.x.x.x on its external IF, running openbsd 3.7 release

the "ASP_peer" with 193.x.x.x on its external IF (some cisco vpn 
concentrator - which i've no access to)

"ASP_internal" is B.B.B.B/8
they want us to connect from 172.C.C.C/30


the tunnel between our_fw and ASP_peer is established and confirmed by 
our ASP. since our_fw would only route packets from 172.C.C.C/30 to 
B.B.B.B/8 i did setup additional flows using ipsecadm:



ipsecadm flow -addr B.B.B.B/8 192.168.A.A/24 -dst ASP_peer -proto esp 
-in -use
ipsecadm flow -addr 192.168.A.A/24 B.B.B.B/8 -dst ASP_peer -proto esp 
-out -require



the flows are being showed correctly when doing "netstat -rf encap".

B/8               0     172.C.C.C/30       0     0     193.x.x.x/50/use/in
B/8               0     192.168.A/24       0     0     193.x.x.x/50/use/in

172.C.C.C/30      0     B/8                0     0     
193.x.x.x/50/require/out
192.168.A/24      0     B/8                0     0     
193.x.x.x/50/require/out



in pf.conf i've a line saying:

nat on enc0 inet from 192.168.A.A/24 to B.B.B.B/8 -> 172.C.C.C


ping from our_internal to a machine in ASP_internal and listeing with 
"tcpdump -ni $int_if" shows icmp echo request coming in on the internal 
IF. listening on enc0 shows nothing but silence. "tcpdump -ni $ext_if 
esp" shows silence too. listeing on pflog0 shows packets entering our_fw 
on the internal IF. it looks like the packets simply disappear after 
entering our_fw.

at the moment our_fw does pass everything and keeps state.

also, occasionally i'm getting these from isakmpd:


transport_send_messages: giving up on message 0x3c069500, exchange 
Peer-ASP_fw

transport_send_messages: either this message did not reach the other peer
transport_send_messages: or the responsemessage did not reach us back
(tell me news...)


i know doing nat on enc0 and generally screwing-up VPNs with NAT doesnt 
seem to be a very good idea, but it looks like i havent got other 
options at the moment. please let me know if any additional infos are 
needed.


any help/hints/suggestions would be greatly appreciated.























					Reply via email to