Date: Thu, 11 Jun 2009 12:14:35 +0200 From: Attila Nagy <bra@fsn.hu> To: freebsd-net@FreeBSD.org Subject: Redirecting traffic with IPSec and pf doesn't work Message-ID: <4A30D90B.3020007@fsn.hu>
next in thread | raw e-mail | index | archive | help
Hello, What I'm trying to accomplish is the following: - there are two machines, connected over the internet (let's call them A and B) - when A tries to connect to B:port, or B to A:port (via TCP, port is just a TCP port, in this case, 3306) the connection should be redirected to a local listener, instead of the remote - the above should only be done if I want to (I can do this with pf anchors or tables) - the connection between the two machines should be secured in kernel space (for efficiency and performance) I can redirect the connections in the unsecured (no IPSec) case with the following pf.conf (this is for machine A): rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306 pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any to B_IP port 3306 (192.168.254.1 is an alias on A's lo0) So when I do a telnet from A to B, the connection establishes and I can reach A's listener, instead of B's. Now with IPSec. ipsec.conf contains this (along with the PSK definitions): spdadd A_IP B_IP any -P out ipsec esp/transport/A_IP-B_IP/default ah/transport/A_IP-B_IP/default; and the same on B, with swapped orders. IPSec between the two machines works, but the redirection doesn't. pf.conf now has: rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306 pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to B_IP port 3306 (192.168.254.1 is lo0's alias address in this case, but I've also tried with A's public IP and also with a gif tunnel) What I see in pflog's output seems to be OK: 100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 69415267 0> 000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 192.168.254.1.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 69415267 0> and the traffic shows up on enc0 as well, but is not that nice: 11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 > B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 69415267 0> 11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 > B_IP.3306: R 3107058077:3107058077(0) win 0 The command, which produced the above output is: MACHINE_A $ telnet B_IP 3306 telnet: connect to address B_IP: Interrupted system call telnet: Unable to connect to remote host I've tried to set net.enc.out.ipsec_filter_mask to different values without success, only 0x0 gave a connection refused answer, instead of "Interrupted system call". This is on 7-STABLE. Is redirecting TCP flows on IPSec secured connections impossible because some layering differences? (maybe the above redirects the packet with IPSec headers, so this causes the problem) Thanks,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A30D90B.3020007>