Date: Wed, 26 Jul 2017 16:09:01 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <dfdc01ca-8312-4a0d-5b82-074bb9a00a8a@yandex.ru> In-Reply-To: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <ada882bb-7344-49c5-0e47-e1432f27f1c9@spam-fetish.org> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <e870fe5e-431c-49b6-5960-123d0c7be0a9@yandex.ru> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e3eqh6mHFewD13cX4UN7Xs3MEddishST1 Content-Type: multipart/mixed; boundary="uTapxJMCHAahDDn10MJrd4n0xJGONLF7k"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Message-ID: <dfdc01ca-8312-4a0d-5b82-074bb9a00a8a@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <ada882bb-7344-49c5-0e47-e1432f27f1c9@spam-fetish.org> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <e870fe5e-431c-49b6-5960-123d0c7be0a9@yandex.ru> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> In-Reply-To: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> --uTapxJMCHAahDDn10MJrd4n0xJGONLF7k Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 26.07.2017 15:33, Muenz, Michael wrote: >> Also, since your policies uses "unique" level, you need to specify the= >> same level using "unique:N" syntax. >> >> Also if it is interesting to you, I patched ipfw_nat to be able specif= y >> needed direction. The patch is untested at all :) >> https://people.freebsd.org/~ae/nat_in_out.diff >> >> You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also >> ipfw(8) binary. >> >=20 > You are a genius! Many thanks for you patience with me! Now I have a > running setup and it also works with unpatched OPNsense kernel: >=20 > kldload ipfw_nat > ipfw nat 1 config ip 10.26.1.1 log > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 out xmit = enc0 > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0= >=20 > setkey -PD | grep unique > setkey -v -c > spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec > esp/tunnel/213.244.192.191-81.24.74.3/unique:X ; > ^D >=20 > Thats all! I got it running, did a reboot and then it failed everytime > until I saw the number after unique changes. >=20 > How is this number calculated? I need this for templating the script. This number is chosen by strongswan. It would be better to know how to configure it to specify both prefixes. You also can set 10.26.0.0/22 prefix somewhere in leftsubnet, and then filter 10.26.1.0/24 and 10.26.3.0/24 using firewall. I think then strongswan will generate policy that will route all needed traffic into tunnel. And no manual post-configuration will be needed. --=20 WBR, Andrey V. Elsukov --uTapxJMCHAahDDn10MJrd4n0xJGONLF7k-- --e3eqh6mHFewD13cX4UN7Xs3MEddishST1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll4lG0ACgkQAcXqBBDI oXqNugf/QAHR/rAuo1f9gjszzae1Bk6CBCmhJYUQlafOEASv4ru7z4szJIFey8JU 7bE10nV1olDmAwpZtBFTx1TnLJHewf2c0+8xLnlq2c8XGy76lkC0I8Ez8ghG2VxC KUnCa059Vhq0f0hm1V9DyBQmPT0fxVEoN2lyKg8dQ7scLL1t/vYw6dZyfMCCB/l3 3IO5ousB1qwbWjk6h5P1T3T7kbKgNz2NXY9XV7q5/eZSE5ROCHTnDqwl/FcxRKTq FYq2e9hSTtVr0XQ4g84l/pagBCgRr7OwqCfVTJ6CQvHMSoPvoX589if+Is+dNqRn Mp6DzD6a0vgI7YgOAzCdxDbKSLKw1Q== =6/DF -----END PGP SIGNATURE----- --e3eqh6mHFewD13cX4UN7Xs3MEddishST1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dfdc01ca-8312-4a0d-5b82-074bb9a00a8a>