From owner-freebsd-net@FreeBSD.ORG  Thu Jan 12 09:13:48 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7837F106566C
	for <freebsd-net@FreeBSD.org>; Thu, 12 Jan 2012 09:13:48 +0000 (UTC)
	(envelope-from ale@FreeBSD.org)
Received: from andxor.it (relay.andxor.it [195.223.2.3])
	by mx1.freebsd.org (Postfix) with SMTP id A49408FC08
	for <freebsd-net@FreeBSD.org>; Thu, 12 Jan 2012 09:13:47 +0000 (UTC)
Received: (qmail 24593 invoked from network); 12 Jan 2012 08:47:05 -0000
Received: from unknown (HELO alex.andxor.it) (192.168.2.30)
	by andxor.it with SMTP; 12 Jan 2012 08:47:05 -0000
Message-ID: <4F0E9E09.9040106@FreeBSD.org>
Date: Thu, 12 Jan 2012 09:47:05 +0100
From: Alex Dupre <ale@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:9.0.1) Gecko/20111227 Firefox/9.0.1 SeaMonkey/2.6.1
MIME-Version: 1.0
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
References: <4F0DD127.4040205@FreeBSD.org>
	<6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net>
	<4F0E8BC8.2020703@FreeBSD.org>
	<FD78C4CE-B9A8-4541-8A67-BDD75C626D0A@lists.zabbadoz.net>
In-Reply-To: <FD78C4CE-B9A8-4541-8A67-BDD75C626D0A@lists.zabbadoz.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@FreeBSD.org
Subject: Re: Filtering on IPSEC
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2012 09:13:48 -0000

Bjoern A. Zeeb ha scritto:
> If you are using tunnel mode and gif you'll have trouble;  just use tunnel mode without gif and you'll be happy.

Done, it works and I see all packets on enc0 now, thanks.

> It's because (our) pf cannot NAT on incoming but only on outgoing interfaces.   And you need to NAT on packet entry into the system...

I found a setup that seems to work in my scenario with pf, but I'm not 
sure it's 100% correct. Basically I added nat on enc0 and then added a 
new policy including my internal lan.

Scenario:

- virtual ip (where nat takes place): 172.22.0.5
- internal lan: 192.168.2.0/24
- other lan: 172.28.0.0/16

In pf.conf I added:

nat on enc0 from 192.168.2.0/24 to any -> 172.22.0.5


In setkey.conf I added:

spdadd 192.168.2.0/24 172.28.0.0/16 any -P out ipsec 
esp/tunnel/MYEXTIP-OTHEREXTIP/require;

in addition to the "standard":

pdadd 172.28.0.0/16 172.22.0.5/32 any -P in ipsec 
esp/tunnel/OTHEREXTIP-MYEXTIP/require;
spdadd 172.22.0.5/32 172.28.0.0/16 any -P out ipsec 
esp/tunnel/MYEXTIP-OTHEREXTIP/require;

I'm searching for trouble or is it correct?

-- 
Alex Dupre