From owner-freebsd-net@freebsd.org Wed Jul 19 08:02:50 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD41DC09281 for ; Wed, 19 Jul 2017 08:02:50 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BC95707CF for ; Wed, 19 Jul 2017 08:02:50 +0000 (UTC) (envelope-from m.muenz@spam-fetish.org) Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215]) by mailout-02.maxonline.de (Postfix) with ESMTPS id 1DA864F for ; Wed, 19 Jul 2017 09:53:37 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by web03-01.max-it.de (Postfix) with ESMTP id 0CA9628B847 for ; Wed, 19 Jul 2017 09:53:37 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de Received: from web03-01.max-it.de ([127.0.0.1]) by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Q7y4BC11T9Qu for ; Wed, 19 Jul 2017 09:53:36 +0200 (CEST) Received: from [81.24.66.132] (unknown [81.24.66.132]) (Authenticated sender: m.muenz@spam-fetish.org) by web03-01.max-it.de (Postfix) with ESMTPA id 8693928AB1C for ; Wed, 19 Jul 2017 09:53:36 +0200 (CEST) To: freebsd-net@freebsd.org From: "Muenz, Michael" Subject: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> Date: Wed, 19 Jul 2017 09:53:51 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:02:51 -0000 Hi, seems this is a rather old topic but I want to check if there's perhaps some progress or chance to get this done. I'm using OPNsense based on FreeBSD11 and there's a problem with NAT before IPSEC. Some old discussions: https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106 http://undeadly.org/cgi?action=article&sid=20090127205841 https://github.com/opnsense/core/issues/440 What I want to achieve is: IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works Peer at Site-B cannont be changed anymore, but there's a second subnet (10.26.2.0/24) on Site-A: 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B -- 10.24.66.0 If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a IP for 10.24.1.0 before it hits VPN. My approach was: kldload ipfw_nat.ko ipfw nat 1 config ip 10.26.1.1 log reverse ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (LAN IP Firewall-A). This works just fine and I see the replies in enc0: 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.108 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 Sadly nothing else happens. My thought was it's just some kinde of state-tracking so I played around with all kinds of sysctl values, but nothing helps. Is there really no way to achieve a setup like this? Thanks, Michael