Subject: picking source address for PCBs
To: None <tech-net@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 10/04/2001 18:54:23
-----BEGIN PGP SIGNED MESSAGE-----
I have managed to get a "road-warrior" tunnel up between my notebook
and my file server. I have:
A.30 A.20
They are normally on the same subnet.
When they are not, I want to configure an IPsec tunnel like:
outer src = random-IP
outer dst = A.30
inner src = A.20
inner dst = A.30
This proves to be difficult. While I can build a series of SPD entries
with setkey that mark ICMP, UDP and TCP to go into the tunnel (!proto 51
would be better, but isn't there I think), I can not get the inner src set
correctly.
When talking to a subnet that was behind a gateway (with the outer dst not
on the same subnet), I just did:
ifconfig lo0 inet A.20 alias
route add -net subnet A.20
That solved the problem.
I was able to this for inner == outer by picking a different outer.
I gave the file server a new alias (A.18) and setup my tunnel to that.
(Btw, I use the "generate_policy on" to get things to work)
This works for ping.
This did not work for SSH or telnet (I fixed this via:
ProxyCommand nc -s A.20 %h %p in .ssh/config)
I can do rpcbind -p on the file server (yes, I sometimes have enough
bandwidth to do NFS), but showmount and mount fail.
I happen to be presently at an associates' place where his firewall will
give me a real IP address on the wavelan, but it also blocks all non-IPsec
related stuff.
What I would like to do is to create a new route option. One that
basically says everything a normal host/net route does, but also says
"use X as the source address". I know that this may not play well with
certain deamons. That would get rid of the "route/alias" trick.
Thoughts?
(I do not really want to muck with IPF. There might be something I could
do, but I don't know what offhand)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBO7zonYqHRg3pndX9AQFUQQP/fLgG7a6Tih/3i+O7a8cA1A5peFmNv4Pw
saigfTKRecOKwPqAbwTFedC5SojhwX4uEGiAzO2HHAguB1XuNq1oVWoMQ1DpQZnb
/xSSDpmIY5kZUycQoCQH68xpL77EonKfJesBGiBP2BRO1t44cw0xhyhzWY0xezrD
4Zuf0d5eG9E=
=GmhI
-----END PGP SIGNATURE-----