From owner-freebsd-net@FreeBSD.ORG  Thu Jun 11 10:32:10 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2D45A106566B
	for <freebsd-net@FreeBSD.org>; Thu, 11 Jun 2009 10:32:10 +0000 (UTC)
	(envelope-from bra@fsn.hu)
Received: from people.fsn.hu (people.fsn.hu [195.228.252.137])
	by mx1.freebsd.org (Postfix) with ESMTP id A094F8FC0A
	for <freebsd-net@FreeBSD.org>; Thu, 11 Jun 2009 10:32:09 +0000 (UTC)
	(envelope-from bra@fsn.hu)
Message-ID: <4A30D90B.3020007@fsn.hu>
Date: Thu, 11 Jun 2009 12:14:35 +0200
From: Attila Nagy <bra@fsn.hu>
User-Agent: Thunderbird 2.0.0.21 (X11/20090318)
MIME-Version: 1.0
To: freebsd-net@FreeBSD.org
X-Stationery: 0.4.8.14
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1
	(people.fsn.hu [0.0.0.0]); Thu, 11 Jun 2009 12:14:36 +0200 (CEST)
Cc: 
Subject: Redirecting traffic with IPSec and pf doesn't work
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2009 10:32:10 -0000

Hello,

What I'm trying to accomplish is the following:
- there are two machines, connected over the internet (let's call them A 
and B)
- when A tries to connect to B:port, or B to A:port (via TCP, port is 
just a TCP port, in this case, 3306) the connection should be redirected 
to a local listener, instead of the remote
- the above should only be done if I want to (I can do this with pf 
anchors or tables)
- the connection between the two machines should be secured in kernel 
space (for efficiency and performance)

I can redirect the connections in the unsecured (no IPSec) case with the 
following pf.conf (this is for machine A):
rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any to 
B_IP port 3306
(192.168.254.1 is an alias on A's lo0)

So when I do a telnet from A to B, the connection establishes and I can 
reach A's listener, instead of B's.

Now with IPSec.

ipsec.conf contains this (along with the PSK definitions):
spdadd A_IP B_IP any -P out ipsec
           esp/transport/A_IP-B_IP/default
           ah/transport/A_IP-B_IP/default;
and the same on B, with swapped orders.

IPSec between the two machines works, but the redirection doesn't.

pf.conf now has:
rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to 
B_IP port 3306

(192.168.254.1 is lo0's alias address in this case, but I've also tried 
with A's public IP and also with a gif tunnel)

What I see in pflog's output seems to be OK:
100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > B_IP.3306: S 
3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
3,sackOK,timestamp 69415267 0>
000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 192.168.254.1.3306: 
S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
3,sackOK,timestamp 69415267 0>

and the traffic shows up on enc0 as well, but is not that nice:
11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
3,sackOK,timestamp 69415267 0>
11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
B_IP.3306: R 3107058077:3107058077(0) win 0

The command, which produced the above output is:
MACHINE_A $ telnet B_IP 3306
telnet: connect to address B_IP: Interrupted system call
telnet: Unable to connect to remote host

I've tried to set net.enc.out.ipsec_filter_mask to different values 
without success, only 0x0 gave a connection refused answer, instead of 
"Interrupted system call".

This is on 7-STABLE.

Is redirecting TCP flows on IPSec secured connections impossible because 
some layering differences? (maybe the above redirects the packet with 
IPSec headers, so this causes the problem)

Thanks,