Date: Thu, 11 Jun 2009 09:58:04 -0400 From: Stephen Clark <sclark46@earthlink.net> To: Attila Nagy <bra@fsn.hu> Cc: freebsd-net@freebsd.org Subject: Re: Redirecting traffic with IPSec and pf doesn't work Message-ID: <4A310D6C.3070602@earthlink.net> In-Reply-To: <4A30D90B.3020007@fsn.hu> References: <4A30D90B.3020007@fsn.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Attila Nagy wrote: > Hello, > > What I'm trying to accomplish is the following: > - there are two machines, connected over the internet (let's call them A > and B) > - when A tries to connect to B:port, or B to A:port (via TCP, port is > just a TCP port, in this case, 3306) the connection should be redirected > to a local listener, instead of the remote > - the above should only be done if I want to (I can do this with pf > anchors or tables) > - the connection between the two machines should be secured in kernel > space (for efficiency and performance) > > I can redirect the connections in the unsecured (no IPSec) case with the > following pf.conf (this is for machine A): > rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306 > pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any to > B_IP port 3306 > (192.168.254.1 is an alias on A's lo0) > > So when I do a telnet from A to B, the connection establishes and I can > reach A's listener, instead of B's. > > Now with IPSec. > > ipsec.conf contains this (along with the PSK definitions): > spdadd A_IP B_IP any -P out ipsec > esp/transport/A_IP-B_IP/default > ah/transport/A_IP-B_IP/default; > and the same on B, with swapped orders. > > IPSec between the two machines works, but the redirection doesn't. > > pf.conf now has: > rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 port > 3306 > pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to > B_IP port 3306 > > (192.168.254.1 is lo0's alias address in this case, but I've also tried > with A's public IP and also with a gif tunnel) > > What I see in pflog's output seems to be OK: > 100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > B_IP.3306: S > 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale > 3,sackOK,timestamp 69415267 0> > 000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 192.168.254.1.3306: > S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale > 3,sackOK,timestamp 69415267 0> > > and the traffic shows up on enc0 as well, but is not that nice: > 11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 > > B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale > 3,sackOK,timestamp 69415267 0> > 11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 > > B_IP.3306: R 3107058077:3107058077(0) win 0 > > The command, which produced the above output is: > MACHINE_A $ telnet B_IP 3306 > telnet: connect to address B_IP: Interrupted system call > telnet: Unable to connect to remote host > > I've tried to set net.enc.out.ipsec_filter_mask to different values > without success, only 0x0 gave a connection refused answer, instead of > "Interrupted system call". > > This is on 7-STABLE. > > Is redirecting TCP flows on IPSec secured connections impossible because > some layering differences? (maybe the above redirects the packet with > IPSec headers, so this causes the problem) > > Thanks, > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > I don't know on 7.x but on 6.x you have to turn on options IPSEC_FILTERGIF #filter ipsec packets from a tunnel to get packets to go thru ipfilter - I assume it is the same for pf. I had the same problem not being able to redirect packets coming from a ipsec tunnel until I turned this option on. HTH, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A310D6C.3070602>