From owner-freebsd-net@FreeBSD.ORG Sun Mar 23 16:23:13 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AED53A67 for ; Sun, 23 Mar 2014 16:23:13 +0000 (UTC) Received: from fs.denninger.net (wsip-70-169-168-7.pn.at.cox.net [70.169.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 57F51AF3 for ; Sun, 23 Mar 2014 16:23:12 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by fs.denninger.net (8.14.8/8.14.8) with ESMTP id s2NGNBbF046106 for ; Sun, 23 Mar 2014 11:23:11 -0500 (CDT) (envelope-from karl@denninger.net) Received: from [127.0.0.1] (TLS/SSL) [192.168.1.40] by Spamblock-sys (LOCAL/AUTH); Sun Mar 23 11:23:11 2014 Message-ID: <532F0A6A.7040003@denninger.net> Date: Sun, 23 Mar 2014 11:23:06 -0500 From: Karl Denninger User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Strongswan problem (used to work for client NAT to the Internet, no longer does) [[RESOLVED]] References: <532E123B.3060702@denninger.net> <532E6A9D.9040609@denninger.net> <532F0469.10202@denninger.net> In-Reply-To: <532F0469.10202@denninger.net> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms010202040108040908060702" X-Antivirus: avast! (VPS 140323-0, 03/23/2014), Outbound message X-Antivirus-Status: Clean X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 16:23:13 -0000 This is a cryptographically signed message in MIME format. --------------ms010202040108040908060702 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable On 3/23/2014 10:57 AM, Karl Denninger wrote: > > On 3/23/2014 12:01 AM, Karl Denninger wrote: >> >> On 3/22/2014 5:44 PM, Karl Denninger wrote: >>> FreeBSD-STABLE 10 r263037M >>> >>> >>> It *looks* like anything coming in through IPSEC and being decoded=20 >>> in there never goes through the ipfw chain at all..... >>> >> This may be addressed by PR185876.... checking. >> > Or not.... > > Now the packets just disappear entirely. Still investigating.... > Got it. With the patches you have to be verrrry careful with the nat, and make=20 sure you first explicitly *exclude* NAT processing from IPSEC-related=20 packets (which DO have their tags properly carried forward now) and then = you must also explicitly process NAT *outbound only* for IPSEC-outbound=20 packets that arrive coming inward. In other words, with pr185876 on your system, assuming 192.168.2.0/24 is = your IPSEC pool and the Internet-accessible interface is em1, you need=20 the following fragments if you want NAT to the Internet at-large to work = for IPSEC-connected clients: 01700 divert 8668 ip4 from any to any not ipsec via em1 01705 divert 8668 ip4 from 192.168.2.0/24 to any ipsec xmit em1 To process all NAT-related traffic EXCEPT outbound IPSEC-related, and=20 then to explicitly process *only* outbound IPSEC related packets (and=20 not inbound ones, which are picked up by the first rule already) That works. pr185876's fixes must be in your system, and because they change header=20 definitions you must rebuild world, not just the kernel. --=20 -- Karl karl@denninger.net --------------ms010202040108040908060702 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFTzCC BUswggQzoAMCAQICAQgwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkqhkiG9w0BCQEWIGN1c3Rv bWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0MB4XDTEzMDgyNDE5MDM0NFoXDTE4MDgyMzE5 MDM0NFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExFzAVBgNVBAMTDkthcmwg RGVubmluZ2VyMSEwHwYJKoZIhvcNAQkBFhJrYXJsQGRlbm5pbmdlci5uZXQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC5n2KBrBmG22nVntVdvgKCB9UcnapNThrW1L+dq6th d9l4mj+qYMUpJ+8I0rTbY1dn21IXQBoBQmy8t1doKwmTdQ59F0FwZEPt/fGbRgBKVt3Quf6W 6n7kRk9MG6gdD7V9vPpFV41e+5MWYtqGWY3ScDP8SyYLjL/Xgr+5KFKkDfuubK8DeNqdLniV jHo/vqmIgO+6NgzPGPgmbutzFQXlxUqjiNAAKzF2+Tkddi+WKABrcc/EqnBb0X8GdqcIamO5 SyVmuM+7Zdns7D9pcV16zMMQ8LfNFQCDvbCuuQKMDg2F22x5ekYXpwjqTyfjcHBkWC8vFNoY 5aFMdyiN/Kkz0/kduP2ekYOgkRqcShfLEcG9SQ4LQZgqjMpTjSOGzBr3tOvVn5LkSJSHW2Z8 Q0dxSkvFG2/lsOWFbwQeeZSaBi5vRZCYCOf5tRd1+E93FyQfpt4vsrXshIAk7IK7f0qXvxP4 GDli5PKIEubD2Bn+gp3vB/DkfKySh5NBHVB+OPCoXRUWBkQxme65wBO02OZZt0k8Iq0i4Rci WV6z+lQHqDKtaVGgMsHn6PoeYhjf5Al5SP+U3imTjF2aCca1iDB5JOccX04MNljvifXgcbJN nkMgrzmm1ZgJ1PLur/ADWPlnz45quOhHg1TfUCLfI/DzgG7Z6u+oy4siQuFr9QT0MQIDAQAB o4HWMIHTMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIF4DAsBglg hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHw4 +LnuALyLA5Cgy7T5ZAX1WzKPMB8GA1UdIwQYMBaAFF3U3hpBZq40HB5VM7B44/gmXiI0MDgG CWCGSAGG+EIBAwQrFilodHRwczovL2N1ZGFzeXN0ZW1zLm5ldDoxMTQ0My9yZXZva2VkLmNy bDANBgkqhkiG9w0BAQUFAAOCAQEAZ0L4tQbBd0hd4wuw/YVqEBDDXJ54q2AoqQAmsOlnoxLO 31ehM/LvrTIP4yK2u1VmXtUumQ4Ao15JFM+xmwqtEGsh70RRrfVBAGd7KOZ3GB39FP2TgN/c L5fJKVxOqvEnW6cL9QtvUlcM3hXg8kDv60OB+LIcSE/P3/s+0tEpWPjxm3LHVE7JmPbZIcJ1 YMoZvHh0NSjY5D0HZlwtbDO7pDz9sZf1QEOgjH828fhtborkaHaUI46pmrMjiBnY6ujXMcWD pxtikki0zY22nrxfTs5xDWGxyrc/cmucjxClJF6+OYVUSaZhiiHfa9Pr+41okLgsRB0AmNwE f6ItY3TI8DGCBQowggUGAgEBMIGjMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk YTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRwwGgYD VQQDExNDdWRhIFN5c3RlbXMgTExDIENBMS8wLQYJKoZIhvcNAQkBFiBjdXN0b21lci1zZXJ2 aWNlQGN1ZGFzeXN0ZW1zLm5ldAIBCDAJBgUrDgMCGgUAoIICOzAYBgkqhkiG9w0BCQMxCwYJ KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDAzMjMxNjIzMDZaMCMGCSqGSIb3DQEJBDEW BBQina/zw/CQYPTCwFRZBx7N88or0jBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG0BgkrBgEEAYI3EAQxgaYwgaMwgZ0xCzAJBgNV BAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoT EEN1ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkq hkiG9w0BCQEWIGN1c3RvbWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0AgEIMIG2BgsqhkiG 9w0BCRACCzGBpqCBozCBnTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNV BAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3Vk YSBTeXN0ZW1zIExMQyBDQTEvMC0GCSqGSIb3DQEJARYgY3VzdG9tZXItc2VydmljZUBjdWRh c3lzdGVtcy5uZXQCAQgwDQYJKoZIhvcNAQEBBQAEggIAiu42Rz4CErXJRXVCNLYWF0zKdd+9 3rHsDf7ATaFJFUG07gcBtClRiT6giq+x937mL79CRXWeeRWHzlcidou7BvKtYA9UQoaQ+sxY fsutw18cltxDH5eHww5vGrB3M8ETPldzGEZLRKyUaZodLW0mp8lLRvBQQtpnVLM1mrSEgGcR aVdmmoXyi8AzHKAUZm9Jrh7PcJuLcW39/y6ECjDKs/lMqjxxg1OD5ZYxShY64/5fRZnlvOw4 vg5GI5mAAzxQtcHL9S6bQAhVXhUbWujXvgmA1Mtsr3ByEpxDYAQXLlN60d5iHsNTtPTS7KVC RnUmzzp0PNVl5dOv33mydLktF5w5Qu83Be9r09m/0PNmUvIRbjo5sFYe0EtuzmyHx49yPo5G LdDjiqkCyAbm1gG1/9XSqGg3HQ7K/0OEUSO/O1BVmnUYJP4Zq1ogH749P3Fm1ZwqxCRQFFQV VFDGVZQFFGwkCw62+wPJiPTK8FBLhgtcOuWspliPdQyLM5lguibORfuNDnvT1eBDrOx6Embn r8tHDYuUjteY+aEHxaCHaFtcF/yLXavMAreXBEk0mSRD4n3lGj6s3xuMJfTSEto3oYPRHpW8 MWx6XKQ0nMGz3ryKpOmhhKADJ12A0zTNQKvskt6hX0RxcZcz6w8r+aJr7FbUiO6aW0hDAcV+ czcDgZ4AAAAAAAA= --------------ms010202040108040908060702--