Date: Wed, 19 Jul 2017 15:22:27 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> In-Reply-To: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q Content-Type: multipart/mixed; boundary="j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Message-ID: <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> In-Reply-To: <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> --j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 15:02, Muenz, Michael wrote: > Am 19.07.2017 um 12:12 schrieb Andrey V. Elsukov: >> >> Try to add the following rule: >> >> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc= 0 >> >> This rule will pass a decrypted packet to the NAT instance, that will >> check in the states table should a packet be translated back or not. >> >> You need to have enc0 interface in UP state and sysctl variable >> net.enc.in.ipsec_filter_mask should be set to 1 or 2. >> >> After translation on the enc0 a packet will be returned to the IPsec >> subsystem, that will queue it for further processing in the netisr. >> Since destination address become foreign, it will be forwarded by IP >> stack. >> >=20 > Hi, >=20 > I tried this but still no luck. Packets get seen by ipfw -ta list: >=20 > 00179 139 3892 Wed Jul 19 14:00:21 2017 nat 1 log ip from > 10.26.2.0/24 to 10.24.66.0/24 > 00179 143 4228 Wed Jul 19 14:00:21 2017 nat 2 log ip from > 10.24.66.0/24 to 10.26.1.1 in recv enc0 > 65535 5891 1716730 Wed Jul 19 14:00:21 2017 allow ip from any to any >=20 > But there's nothing on the internal IF. Also played around with > filter_mask and also one_pass. > Also tried (as you see above) with a second nat instance where reverse > is disabled. >=20 > Do you have any other clue? >=20 > Really appreciate your help, thanks! Different NAT instances will not work for the same flow, because they have different state tables. Packets in both direction should pass trough the same NAT instance. What you see in tcpdump on the enc0 interface? --=20 WBR, Andrey V. Elsukov --j16tEvm2K8nfvVE3RF6TvrJxxcMTDFnc6-- --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvTwMACgkQAcXqBBDI oXo4uwf/f2S3qNTF3rvKudFmqkif0FtjdAWQjSrtkZubihA0Od9Tz5/rrV3kn8lt V6iUSG0lpuvdTtV27UP5qSYBwTcQFvyTBjCYytYBEjbGM3cUOBH49TEkA2LT24L1 pK7iG0QkiqTS1AIlTr89xr7CE6IVhS27i2GTsWtkXtxYys7+vnVgPX9w2banpCVC ZLHUKdJhjkZCop/+qZQ5RLLUFE99NZeb7RuXiGq/z6WHaHSScPFp/QuPmRXtWW88 ZfXEsfUMCKFIAYu99oeBH4PffKzfIhxejsVGuVw5MlqtiQEisHaXfgNphxxJTNuP 4cQOwQ7/TRgFG+pB3wG2URUWTx8VgQ== =KTps -----END PGP SIGNATURE----- --2CaBhhvo8NsxgAETmfHbnJOiWw5gIGq3Q--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3344e189-cdf0-a2c9-3a2a-645460866f2d>