From owner-freebsd-net@freebsd.org Wed Jul 26 13:12:01 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F2C4DBDD7F for ; Wed, 26 Jul 2017 13:12:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward5h.cmail.yandex.net (forward5h.cmail.yandex.net [IPv6:2a02:6b8:0:f35::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A2A5C2CD6 for ; Wed, 26 Jul 2017 13:12:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2p.mail.yandex.net (smtp2p.mail.yandex.net [77.88.29.85]) by forward5h.cmail.yandex.net (Yandex) with ESMTP id B8EAE21081; Wed, 26 Jul 2017 16:11:47 +0300 (MSK) Received: from smtp2p.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp2p.mail.yandex.net (Yandex) with ESMTP id CDAD21A8003F; Wed, 26 Jul 2017 16:11:46 +0300 (MSK) Received: by smtp2p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 2PYTrMMsPk-BjA0P3lZ; Wed, 26 Jul 2017 16:11:45 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1501074705; bh=MIj4Z5nypimODUbqviv0q74k5uCF/v3mAF2lySchxIM=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=gOV6edu+gDNSeuGfgvVUOPwk+JMYMn97YvUuQpzazrStHbdlm8hg4NzqZAh4iH/uZ 1aV9fVgyP2sy9jQg8NcxUo8cclMeRXUrN2SXZtfbY7yeV9N4DgPrd4URgK+jcslANY Ul+MWOBQcFtIwsHaAZ0ESCs3t3xTRvWAPea5ySQ8= Authentication-Results: smtp2p.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0 Subject: Re: NAT before IPSEC - reply packets stuck at enc0 To: "Muenz, Michael" , freebsd-net@freebsd.org References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: Date: Wed, 26 Jul 2017 16:09:01 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="e3eqh6mHFewD13cX4UN7Xs3MEddishST1" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2017 13:12:01 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e3eqh6mHFewD13cX4UN7Xs3MEddishST1 Content-Type: multipart/mixed; boundary="uTapxJMCHAahDDn10MJrd4n0xJGONLF7k"; protected-headers="v1" From: "Andrey V. Elsukov" To: "Muenz, Michael" , freebsd-net@freebsd.org Message-ID: Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru> <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org> <3a7d5a5b-3b72-4cfe-2d8e-c832f7bfab5c@spam-fetish.org> <2672efbc-49f2-efba-07d6-feeb5c8e3757@yandex.ru> <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> In-Reply-To: <6bf87e8a-f557-bfab-13ce-dd8accb88299@spam-fetish.org> --uTapxJMCHAahDDn10MJrd4n0xJGONLF7k Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 26.07.2017 15:33, Muenz, Michael wrote: >> Also, since your policies uses "unique" level, you need to specify the= >> same level using "unique:N" syntax. >> >> Also if it is interesting to you, I patched ipfw_nat to be able specif= y >> needed direction. The patch is untested at all :) >> https://people.freebsd.org/~ae/nat_in_out.diff >> >> You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also >> ipfw(8) binary. >> >=20 > You are a genius! Many thanks for you patience with me! Now I have a > running setup and it also works with unpatched OPNsense kernel: >=20 > kldload ipfw_nat > ipfw nat 1 config ip 10.26.1.1 log > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 out xmit = enc0 > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0= >=20 > setkey -PD | grep unique > setkey -v -c > spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec > esp/tunnel/213.244.192.191-81.24.74.3/unique:X ; > ^D >=20 > Thats all! I got it running, did a reboot and then it failed everytime > until I saw the number after unique changes. >=20 > How is this number calculated? I need this for templating the script. This number is chosen by strongswan. It would be better to know how to configure it to specify both prefixes. You also can set 10.26.0.0/22 prefix somewhere in leftsubnet, and then filter 10.26.1.0/24 and 10.26.3.0/24 using firewall. I think then strongswan will generate policy that will route all needed traffic into tunnel. And no manual post-configuration will be needed. --=20 WBR, Andrey V. Elsukov --uTapxJMCHAahDDn10MJrd4n0xJGONLF7k-- --e3eqh6mHFewD13cX4UN7Xs3MEddishST1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAll4lG0ACgkQAcXqBBDI oXqNugf/QAHR/rAuo1f9gjszzae1Bk6CBCmhJYUQlafOEASv4ru7z4szJIFey8JU 7bE10nV1olDmAwpZtBFTx1TnLJHewf2c0+8xLnlq2c8XGy76lkC0I8Ez8ghG2VxC KUnCa059Vhq0f0hm1V9DyBQmPT0fxVEoN2lyKg8dQ7scLL1t/vYw6dZyfMCCB/l3 3IO5ousB1qwbWjk6h5P1T3T7kbKgNz2NXY9XV7q5/eZSE5ROCHTnDqwl/FcxRKTq FYq2e9hSTtVr0XQ4g84l/pagBCgRr7OwqCfVTJ6CQvHMSoPvoX589if+Is+dNqRn Mp6DzD6a0vgI7YgOAzCdxDbKSLKw1Q== =6/DF -----END PGP SIGNATURE----- --e3eqh6mHFewD13cX4UN7Xs3MEddishST1--