Hi Stephen,

Thanks a lot for your input!

I'm not particularly tied to OpenBSD. In fact I have tried to find a
solution based on linux+FreeS/WAN, but have had some trouble making it work.
So I wanted to see if OpenBSD had something to offer.

I guess the NAT traversal patch to FreeS/WAN is the most promising avenue
right now (with commercial IPsec software for the clients), though I'm not
too happy to read that NAT-T won't support FTP and LDAP
(http://rr.sans.org/encryption/NAT2.php), and the NAT-T patch for FreeS/WAN
seems a little immature.

Regards,
Henning

-----Original Message-----
From: Stephen J Bevan [mailto:***@etunnels.com]
Sent: 21. juni 2002 18:25
To: Henning Riis Rasmussen
Subject: Is NAT traversal with OpenBSD IPsec possible?
Not that I'm aware of, however ...

* If there is only one client behind the NAT then some NAT boxes will
route the IPsec packets back correctly.

* If the NAT box and it supports some sort of IPsec tracking
(e.g. Linux+iptables and OpenBSD+pf do for example) then that will
work too and if the SPI values are unique you can even have multiple
IPsec clients behind the same NAT box.

* If you are not tied to using OpenBSD to protect the LAN and your
your client IPsec machines support NAT traversal then you could
use a Linux running FreeS/WAN with the NAT traversal patch to
protect your LAN.

* If you prefer to stick with OpenBSD but don't mind buying a
commercial solution then there are vendors who can provide an
OpenBSD based firewall/router/IPsec-gateway that you can load onto a
PC of your choice along with Windows clients, all of which can cope
with machines behind NAT/PAT.

I recently bought a few Asante friendlynet 1000TPC card for NFS
filers and they won't play nice. They seem fine until it's time to do IO
then.. nothing good. Newer version of the card firmware is not available
according to Asante. Would this be the result of a multiple PCI bus
master card situation?
Here's a taste of the trouble.
Card comes up ok .(from dmesg) . Note the strange 1/10/100/1000
designation;
nge0 at pci2 dev 12 function 0 "National Semiconductor DP83820
1/10/100/1000" rev 0x00: irq 5: Ethernet address: 00:50:fc:48:28:c2
nsgphy0 at nge0 phy 1: DP83861 10/100/1000 media interface, rev. 0

I can configure them.
# ifconfig nge0 192.168.0.6 netmask 255.255.255.0
# ifconfig nge0
nge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (1000baseTX full-duplex)
status: active
inet 192.168.0.6 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::250:fcff:fe48:28c2%nge0 prefixlen 64 scopeid 0x2

And the routes show up automatically.
# route monitor
# route -n show
192.168.0.0 link#2 U
...

But it cannot ping nor respond to ping; the dst is an OS X on
Gigabit with a few extra IP addresses.
# ping 192.168.0.66
PING 192.168.0.66 (192.168.0.66): 56 data bytes
got message of size 148 on Mon Jun 24 10:35:27 2002
RTM_ADD: Add Route: len 148, pid: 0, seq 0, errno 0,
flags:<UP,HOST,DONE,LLINFO>
locks: inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
ping: sendto: Host is down
ping: wrote 192.168.0.66 64 chars, ret=-1

Doesn't even acquire the MAC id of the destination.

# arp -an
? (140.90.90.253) at 00:04:76:df:49:e8
? (140.90.90.254) at 00:03:93:83:c5:1e
? (192.168.0.66) at (incomplete)

I've tried different switches, identical new NICs and different
speed/duplex settings. The only thing I get from the card is with
tcpdump. Note the clear lack of (icmp: echo request) messages as it
should be receiving ICMP ping.. Most of that traffic looks like mangled
traffic from another part of our broken network.

# tcpdump -i nge0
tcpdump: listening on nge0
10:46:30.618590 0:0:94:ca:ce:88 > 1:80:c2:0:0:0 null I (s=0,r=0,C) len=42
10:46:30.780232 0:60:b0:58:f2:a7 sap e8 > 0:60:97:58:11:55 sap 5a rr
(r=7,R) len=42
10:46:31.069793 truncated-ip - 30559 bytes missing!196.10.0.0 >
137.55.0.0: ip-proto-0 30581 [tos 0x4] [ttl 0]
got message of size 84 on Mon Jun 24 10:46:42 2002
RTM_IFINFO: iface status change: len 84, if# 2,
flags:<UP,BROADCAST,PPROMISC,SIMPLEX,MULTICAST>got message of size 84 on
Mon Jun 24 10:46:42 2002
RTM_IFINFO: iface status change: len 84, if# 2,
flags:<UP,BROADCAST,PPROMISC,SIMPLEX,MULTICAST>got message of size 84 on
Mon Jun 24 10:46:46 2002
RTM_IFINFO: iface status change: len 84, if# 2,
flags:<UP,BROADCAST,RUNNING,PPROMISC,SIMPLEX,MULTICAST>got message of
size 84 on Mon Jun 24 10:46:47 2002
10:46:32.069633 truncated-ip - 30559 bytes
missing!cen2-105.centera.co.za > 0.0.141.131: ip-proto-0 30581 [tos 0x4]
[ttl 0]
10:46:32.220594 0:9:6b:b8:4a:2b sap f4 > 0:4:76:df:49:e8 sap 6b rr
(r=2,C) len=66




and the dmesg:
# dmesg
OpenBSD 3.1 (GENERIC) #59: Sat Apr 13 15:28:52 MDT 2002
***@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium 4 ("GenuineIntel" 686-class) 1.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,
SIMD
real mem = 669822976 (654124K)
avail mem = 614670336 (600264K)
using 5689 buffers containing 33595392 bytes (32808K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(48) BIOS, date 04/24/02, BIOS32 rev. 0 @
0xfd72a
pcibios0 at bios0: rev. 2.1 @ 0xfd6c0/0x940
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdec0/288 (16 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB PCI-ISA" rev
0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0x9800 0xc9800/0x1000 0xca800/0x1800
0xe0000/0x10000!
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82845 Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82845 AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Nvidia Vanta" rev 0x15
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x12
pci2 at ppb1 bus 2
fxp0 at pci2 dev 8 function 0 "Intel 82562" rev 0x03: irq 11, address
00:09:6b:b8:4a:2b
inphy0 at fxp0 phy 1: i82562ET 10/100 media interface, rev. 0
nge0 at pci2 dev 12 function 0 "National Semiconductor DP83820
1/10/100/1000" rev 0x00: irq 5: Ethernet address: 00:50:fc:48:28:c2
nsgphy0 at nge0 phy 1: DP83861 10/100/1000 media interface, rev. 0
pcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x12
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x12: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <IC35L020AVVA07-0>
wd0: 16-sector PIO, LBA, 19470MB, 16383 cyl, 16 head, 63 sec, 39876480
sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <LG, CD-ROM CRD-8484B, 2.01> SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x12: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82801BA SMBus" rev 0x12 at pci0 dev 31 function 3 not configured
uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB2" rev 0x12: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
auich0 at pci0 dev 31 function 5 "Intel 82801BA AC97 Audio" rev 0x12:
irq 5 ICH2 AC97
ac97: codec id 0x41445362 (Analog Devices <62>)
ac97: codec features headphone, No 3D Stereo
audio0 at auich0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask cc40 netmask cc60 ttymask cce2
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302