[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: nat on enc0
Agarwal, Amit (Amit) wrote:
>Hi,
> First I would like to thank you for the efforts in solving this issue.
> Also I would like to explain my issue little bit more clearly.
> In my topology VPN device 2 should not have any knowledge of 10.10.10/24 subnet. VPN device 2 should not have to create IPSec SA for any subnet other than 15.15.15.15 as there may be other VPN devices which are also connecting to VPN device 2 and have the same private subnet as VPN device 1(10.10.10/24). Also VPN device 2 can not create any IPSec SA for 0/0 either for VPN device 1 as there are more VPN devices like VPN device 1.
> I could not understand what do you mean by acquire-based setup. Well I may be missing something here with your proposed solutions.
>
There is two ways to define flows with isakmpd:
1) If you use ipsecadm to set the flows, and isakmpd will be called
by the
kernel to do the exchange.
2) You don't use ipsecadm, and define all your connections in
isakmpd.conf.
I use 2), and I think you need to do that as well with your setup.
What you should do is the following: you define the isakmpd.conf flows
between
15.15.15.15 and 20.20.20/24. This is what will be negotiated over IKE.
But then the problem is to make sure your packets from 10.10.10/24 go
through
enc0. You can do that by either 1)
- adding manually a flow from 10.10.10/24 to 20.20.20/24 using ipsecadm,
manually or using a shell script. you need to do that after isakmpd
did his
work.
- using an ugly patch simmilar to the one I will post here.
(you can replace 0/0 by 10.10.10/24 if you feel like it)
This is just a hack, but tweaking software is what Open Source is
about :)
Hope that helps,
Cedric
Index: pf_key_v2.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/pf_key_v2.c,v
retrieving revision 1.122
diff -u -r1.122 pf_key_v2.c
--- pf_key_v2.c 24 Feb 2003 12:01:04 -0000 1.122
+++ pf_key_v2.c 26 Jun 2003 14:52:35 -0000
@@ -2299,10 +2299,27 @@
}
#endif /* SADB_X_EXT_FLOW_TYPE */
- error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
+#ifdef WNICONF
+ if (isa->src_mask->sa_family == AF_INET &&
+ ((struct sockaddr_in *)isa->src_mask)->sin_addr.s_addr == 0xFFFFFFFF)
+ {
+ struct sockaddr_in nulladdr;
+ bzero(&nulladdr, sizeof(nulladdr));
+ nulladdr.sin_family = AF_INET;
+ nulladdr.sin_len = sizeof(nulladdr);
+ error = pf_key_v2_flow ((struct sockaddr *)&nulladdr,
+ (struct sockaddr *)&nulladdr, isa->dst_net,
+ isa->dst_mask, isa->tproto, isa->sport, isa->dport,
+ proto->spi[0], proto->proto, dst, src, 0, 0,
+ sidtype, sid, sidlen, didtype, did, didlen);
+ } else
+#endif
+ {
+ error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
isa->dst_mask, isa->tproto, isa->sport, isa->dport,
proto->spi[0], proto->proto, dst, src, 0, 0,
sidtype, sid, sidlen, didtype, did, didlen);
+ }
if (error)
goto cleanup;
@@ -2484,12 +2501,29 @@
sa->transport->vtbl->get_dst (sa->transport, &dst);
sa->transport->vtbl->get_src (sa->transport, &src);
- if (!incoming)
+ if (!incoming) {
+
+#ifdef WNICONF
+ if (isa->src_mask->sa_family == AF_INET &&
+ ((struct sockaddr_in *)isa->src_mask)->sin_addr.s_addr == 0xFFFFFFFF)
+ {
+ struct sockaddr_in nulladdr;
+ bzero(&nulladdr, sizeof(nulladdr));
+ nulladdr.sin_family = AF_INET;
+ nulladdr.sin_len = sizeof(nulladdr);
+ return pf_key_v2_flow ((struct sockaddr *)&nulladdr,
+ (struct sockaddr *)&nulladdr, isa->dst_net,
+ isa->dst_mask, isa->tproto, isa->sport, isa->dport,
+ proto->spi[0], proto->proto, src, dst, 1, 0,
+ 0, 0, 0, 0, 0, 0);
+ } else
+#endif
+
return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
isa->dst_mask, isa->tproto, isa->sport, isa->dport,
proto->spi[0], proto->proto, src, dst, 1, 0,
0, 0, 0, 0, 0, 0);
- else
+ } else
{
#if !defined (SADB_X_EXT_FLOW_TYPE)
/* Set hostmask to '-1'. */