From owner-freebsd-net@freebsd.org  Thu Aug 24 09:38:45 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB85ADDAF9C
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 24 Aug 2017 09:38:45 +0000 (UTC)
 (envelope-from olgeni@olgeni.com)
Received: from olgeni.olgeni.com (olgeni.olgeni.com [31.171.246.156])
 by mx1.freebsd.org (Postfix) with ESMTP id B6CEB7181D
 for <freebsd-net@freebsd.org>; Thu, 24 Aug 2017 09:38:45 +0000 (UTC)
 (envelope-from olgeni@olgeni.com)
Received: from backoffice (unknown [5.8.101.242])
 by olgeni.olgeni.com (Postfix) with ESMTPSA id DB294D7946
 for <freebsd-net@freebsd.org>; Thu, 24 Aug 2017 11:38:37 +0200 (CEST)
Date: Thu, 24 Aug 2017 11:38:37 +0200 (CEST)
From: Jimmy Olgeni <olgeni@olgeni.com>
X-X-Sender: olgeni@backoffice.local
To: freebsd-net@freebsd.org
Subject: NAT-before-ipsec using if_ipsec
Message-ID: <alpine.BSF.2.21.1708241128100.3680@backoffice.local>
User-Agent: Alpine 2.21 (BSF 202 2017-01-01)
X-OpenPGP-KeyID: 0x90B7A98E6450AE47
X-OpenPGP-Fingerprint: 7133 AB4D DFC8 0A0D F891 B0D2 90B7 A98E 6450 AE47
X-OpenPGP-URL: http://olgeni.olgeni.com/~olgeni/pgp/olgeni@olgeni.com
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 09:38:46 -0000


Hi,

I came up with a working setup of if_ipsec, and was wondering if now
it would be possible to perform NAT before ipsec using the resulting
'ipsec0' interface.

The native PF solution seemed to be this:

    nat on ipsec0 from 172.30.1.1/28 to any -> 172.30.1.1

But while it works on external interfaces, it does nothing for ipsec.

If ipsec is already up, pinging to the other side does not work; if
the ping causes racoon to negotiate, then it will fail as if it's
trying to negotiate an invalid encryption domain (?)

Are additional SPD entries needed specifically for NAT?

--
jimmy