From owner-freebsd-net@freebsd.org Wed Jul 19 08:35:21 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38D15C09C83 for ; Wed, 19 Jul 2017 08:35:21 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3o.cmail.yandex.net (forward3o.cmail.yandex.net [IPv6:2a02:6b8:0:1a72::288]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD958714D9 for ; Wed, 19 Jul 2017 08:35:20 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::25]) by forward3o.cmail.yandex.net (Yandex) with ESMTP id 4AFB120EAA; Wed, 19 Jul 2017 11:35:08 +0300 (MSK) Received: from smtp1o.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp1o.mail.yandex.net (Yandex) with ESMTP id 356881300C10; Wed, 19 Jul 2017 11:34:54 +0300 (MSK) Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id PpOzv2isOt-Yr9ec1Sp; Wed, 19 Jul 2017 11:34:54 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500453294; bh=aMiXUv57/edPtLqDDGOqoBCIlqX85Pkbf6tF97JP9HY=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=teXX6DCW7+7Gp+aLR5sE8P+pwQe0tYG1WNv1Sz3Xsszg2ypY0f3FfXw4DsMffIs1a dqS9FGeWaFUF5Cm0gO/5mZNdKBX9pQClMMKqvDyR5+dMv4sRQ0cjUMk4+SIy+yL7i8 BZSsknXykAuTTQZsvM11OzeH72HAzK14K9X0Icn4= Authentication-Results: smtp1o.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Wed, 19 Jul 2017 11:32:17 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:35:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic Content-Type: multipart/mixed; boundary="7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> --7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 10:53, Muenz, Michael wrote: > Hi, >=20 > seems this is a rather old topic but I want to check if there's perhap= s > some progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT > before IPSEC. >=20 > Some old discussions: > https://forum.pfsense.org/index.php?topic=3D49800.msg265106#msg265106 > http://undeadly.org/cgi?action=3Darticle&sid=3D20090127205841 > https://github.com/opnsense/core/issues/440 >=20 > What I want to achieve is: >=20 > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet > (10.26.2.0/24) on Site-A: >=20 > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B= > -- 10.24.66.0 >=20 > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a= > IP for 10.24.1.0 before it hits VPN. >=20 > My approach was: >=20 > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 What about reverse NAT rule? You need to translate decrypted packets back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address as final destination and will not be forwarded to 10.26.2.0. --=20 WBR, Andrey V. Elsukov --7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS-- --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvGRcACgkQAcXqBBDI oXrN4ggAv4OEZ+LabyqUaSfUJJGfgfH1dbhRfD5cmEnnguRK0DXdAiYpTfuMwK74 RICQks2acSefLR05xuUFzhT5aV3vwAr2TmXFztza8xY1WUVNzO1leUDHg4GDR6uV VctiLZOeacd4CAj7YvEtJrygJGytTe8A51c7+Psqk6ErJ15Z4StCH2DcFihHTNQA M6QUeG8+2K7ZbgZ+AMvMODbg3eDXBLwd8cZyN4D7+kdhp8ajqlDicQvNkCrmDMr+ VcbQXFHJXuU4J3Ixa5ZNshBGAQR8Z05s1hVG5xLBlJ0b+pPHW84/e0g0DTqhx26W vZCBlip9UIXsqk7lH0V1ZlcXLTZQ9Q== =kpJ9 -----END PGP SIGNATURE----- --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic--