Date: Thu, 11 Jun 2009 12:14:35 +0200 From: Attila Nagy <bra@fsn.hu> To: freebsd-net@FreeBSD.org Subject: Redirecting traffic with IPSec and pf doesn't work Message-ID: <4A30D90B.3020007@fsn.hu>
index | next in thread | raw e-mail
Hello,
What I'm trying to accomplish is the following:
- there are two machines, connected over the internet (let's call them A
and B)
- when A tries to connect to B:port, or B to A:port (via TCP, port is
just a TCP port, in this case, 3306) the connection should be redirected
to a local listener, instead of the remote
- the above should only be done if I want to (I can do this with pf
anchors or tables)
- the connection between the two machines should be secured in kernel
space (for efficiency and performance)
I can redirect the connections in the unsecured (no IPSec) case with the
following pf.conf (this is for machine A):
rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any to
B_IP port 3306
(192.168.254.1 is an alias on A's lo0)
So when I do a telnet from A to B, the connection establishes and I can
reach A's listener, instead of B's.
Now with IPSec.
ipsec.conf contains this (along with the PSK definitions):
spdadd A_IP B_IP any -P out ipsec
esp/transport/A_IP-B_IP/default
ah/transport/A_IP-B_IP/default;
and the same on B, with swapped orders.
IPSec between the two machines works, but the redirection doesn't.
pf.conf now has:
rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to
B_IP port 3306
(192.168.254.1 is lo0's alias address in this case, but I've also tried
with A's public IP and also with a gif tunnel)
What I see in pflog's output seems to be OK:
100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > B_IP.3306: S
3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale
3,sackOK,timestamp 69415267 0>
000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 192.168.254.1.3306:
S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale
3,sackOK,timestamp 69415267 0>
and the traffic shows up on enc0 as well, but is not that nice:
11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 >
B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale
3,sackOK,timestamp 69415267 0>
11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 >
B_IP.3306: R 3107058077:3107058077(0) win 0
The command, which produced the above output is:
MACHINE_A $ telnet B_IP 3306
telnet: connect to address B_IP: Interrupted system call
telnet: Unable to connect to remote host
I've tried to set net.enc.out.ipsec_filter_mask to different values
without success, only 0x0 gave a connection refused answer, instead of
"Interrupted system call".
This is on 7-STABLE.
Is redirecting TCP flows on IPSec secured connections impossible because
some layering differences? (maybe the above redirects the packet with
IPSec headers, so this causes the problem)
Thanks,
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A30D90B.3020007>