From owner-freebsd-net@freebsd.org Wed Jul 19 12:25:14 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 812C4C7C36F for ; Wed, 19 Jul 2017 12:25:14 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward2j.cmail.yandex.net (forward2j.cmail.yandex.net [5.255.227.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C6907D352 for ; Wed, 19 Jul 2017 12:25:13 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2m.mail.yandex.net (smtp2m.mail.yandex.net [77.88.61.129]) by forward2j.cmail.yandex.net (Yandex) with ESMTP id C780620DB3; Wed, 19 Jul 2017 15:25:04 +0300 (MSK) Received: from smtp2m.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2m.mail.yandex.net (Yandex) with ESMTP id E27432300EE7; Wed, 19 Jul 2017 15:25:03 +0300 (MSK) Received: by smtp2m.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id gHToa2OnF4-P2la3juE; Wed, 19 Jul 2017 15:25:02 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1500467102; bh=HAHCjtupJpstI/XU4jl/ilI8JCkuko8NARCFZTz3HAE=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=ajMQr/1klWNanljdNoCvqp5dUD+AotMb329zM7jWb2jhjVBM3VTs0lgLCE55XxAsL ZeChCrHXZfahEh2KzSzYy1PNw0byEIoSQSDif/LqOnVepl9wQUMIgetNX6ywrLR+TN lwTqoCzxbhWQ+oUJkisvG3FaRkSRsSQgNCSHC7f4= Authentication-Results: smtp2m.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> Date: Wed, 19 Jul 2017 15:22:27 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 12:25:14 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q Content-Type: multipart/mixed; boundary="j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> In-Reply-To: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> --j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 15:02, Muenz, Michael wrote: > Am 19.07.2017 um 12:12 schrieb Andrey V. Elsukov: >> >> Try to add the following rule: >> >> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc= 0 >> >> This rule will pass a decrypted packet to the NAT instance, that will >> check in the states table should a packet be translated back or not. >> >> You need to have enc0 interface in UP state and sysctl variable >> net.enc.in.ipsec_filter_mask should be set to 1 or 2. >> >> After translation on the enc0 a packet will be returned to the IPsec >> subsystem, that will queue it for further processing in the netisr. >> Since destination address become foreign, it will be forwarded by IP >> stack. >> >=20 > Hi, >=20 > I tried this but still no luck. Packets get seen by ipfw -ta list: >=20 > 00179 139 3892 Wed Jul 19 14:00:21 2017 nat 1 log ip from > 10.26.2.0/24 to 10.24.66.0/24 > 00179 143 4228 Wed Jul 19 14:00:21 2017 nat 2 log ip from > 10.24.66.0/24 to 10.26.1.1 in recv enc0 > 65535 5891 1716730 Wed Jul 19 14:00:21 2017 allow ip from any to any >=20 > But there's nothing on the internal IF. Also played around with > filter_mask and also one_pass. > Also tried (as you see above) with a second nat instance where reverse > is disabled. >=20 > Do you have any other clue? >=20 > Really appreciate your help, thanks! Different NAT instances will not work for the same flow, because they have different state tables. Packets in both direction should pass trough the same NAT instance. What you see in tcpdump on the enc0 interface? --=20 WBR, Andrey V. Elsukov --j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6-- --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvTwMACgkQAcXqBBDI oXo4uwf/f2S3qNTF3rvKudFmqkif0FtjdAWQjSrtkZubihA0Od9Tz5/rrV3kn8lt V6iUSG0lpuvdTtV27UP5qSYBwTcQFvyTBjCYytYBEjbGM3cUOBH49TEkA2LT24L1 pK7iG0QkiqTS1AIlTr89xr7CE6IVhS27i2GTsWtkXtxYys7+vnVgPX9w2banpCVC ZLHUKdJhjkZCop/+qZQ5RLLUFE99NZeb7RuXiGq/z6WHaHSScPFp/QuPmRXtWW88 ZfXEsfUMCKFIAYu99oeBH4PffKzfIhxejsVGuVw5MlqtiQEisHaXfgNphxxJTNuP 4cQOwQ7/TRgFG+pB3wG2URUWTx8VgQ== =KTps -----END PGP SIGNATURE----- --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q--