[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd, preventing subnet clashing using NAT

hello people,
i'm trying to setup a vpn between us and our ASP. they've assigned us "their own" private rfc11918 addresses, from which they want us to connect from. basically our topology looks like depicted below:

our_internal <--> our_fw <--> internet <--> ASP_peer <--> ASP_internal

"our_internal" is 192.168.A.A/24
"our_fw" with 82.x.x.x on its external IF, running openbsd 3.7 release
the "ASP_peer" with 193.x.x.x on its external IF (some cisco vpn concentrator - which i've no access to)
"ASP_internal" is B.B.B.B/8
they want us to connect from 172.C.C.C/30

the tunnel between our_fw and ASP_peer is established and confirmed by our ASP. since our_fw would only route packets from 172.C.C.C/30 to B.B.B.B/8 i did setup additional flows using ipsecadm:

ipsecadm flow -addr B.B.B.B/8 192.168.A.A/24 -dst ASP_peer -proto esp -in -use
ipsecadm flow -addr 192.168.A.A/24 B.B.B.B/8 -dst ASP_peer -proto esp -out -require

the flows are being showed correctly when doing "netstat -rf encap".

B/8 0 172.C.C.C/30 0 0 193.x.x.x/50/use/in
B/8 0 192.168.A/24 0 0 193.x.x.x/50/use/in
172.C.C.C/30 0 B/8 0 0 193.x.x.x/50/require/out
192.168.A/24 0 B/8 0 0 193.x.x.x/50/require/out

in pf.conf i've a line saying:

nat on enc0 inet from 192.168.A.A/24 to B.B.B.B/8 -> 172.C.C.C

ping from our_internal to a machine in ASP_internal and listeing with "tcpdump -ni $int_if" shows icmp echo request coming in on the internal IF. listening on enc0 shows nothing but silence. "tcpdump -ni $ext_if esp" shows silence too. listeing on pflog0 shows packets entering our_fw on the internal IF. it looks like the packets simply disappear after entering our_fw.
at the moment our_fw does pass everything and keeps state.

also, occasionally i'm getting these from isakmpd:

transport_send_messages: giving up on message 0x3c069500, exchange Peer-ASP_fw
transport_send_messages: either this message did not reach the other peer
transport_send_messages: or the responsemessage did not reach us back
(tell me news...)

i know doing nat on enc0 and generally screwing-up VPNs with NAT doesnt seem to be a very good idea, but it looks like i havent got other options at the moment. please let me know if any additional infos are needed.

any help/hints/suggestions would be greatly appreciated.

Visit your host, monkey.org