Date: Sun, 16 Feb 2014 15:47:56 +0100 From: Philipp Schmid <philipp.schmid@openresearch.com> To: freebsd-net@freebsd.org Subject: IPSEC transport mode and PF NAT to VIMAGE Jail Message-ID: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com>
next in thread | raw e-mail | index | archive | help
Hi, I=92m having trouble connecting to a NATted VNET jail from a client that = uses IPsec in transport mode between the client and the server where the = jail is hosted on. The basic setup looks like: Laptop (10.0.1.111) <=97=97=97 IPSec transport mode =97=97=97> = FreeBSD 10 Server (10.0.1.178) On the server I have a bridge called bridge0 that has the IP address = 192.168.1.1 A freebsd 10 jail is running on the server with the IP 192.168.1.2 The server at 10.0.1.178 has NAT configured for 192.168.1.0/24 and = redirects port 548 to 192.168.1.2. What I=92d like to achieve is that the laptop connects is able to = connect to port 548 on the server which is redirected to port 548 in the = jail: Laptop (10.0.1.111) =97=97> 10.0.1.178 port 548 =97=97> NAT =97=97= > 192.168.1.2 port 548 (doesn=92t work) (10.0.1.1.111)$ telnet 10.0.1.178 548 Trying 10.0.1.178... telnet: connect to address 10.0.1.178: Connection refused telnet: Unable to connect to remote host I have this working for clients which do not use IPsec, eg: Other Laptop (10.0.1.248) =97=97> 10.0.1.178 port 548 =97=97> = NAT =97=97> 192.168.1.2 port 548 (DOES work) (10.0.1.248)$ telnet 10.0.1.178 548 Trying 10.0.1.178=85 Connected to 10.0.1.178. Escape character is '^]'. The IPSec tunnel between 10.0.1.111 and 10.0.1.178 is also working = correctly and I can connect to any port on the 10.0.1.178 server from = the 10.0.1.111 client. This is the spd policy on the server: spdadd 10.0.1.178 10.0.1.111 any -P out ipsec = esp/transport//require ah/transport//require; spdadd 10.0.1.111 10.0.1.178 any -P in ipsec = esp/transport//require ah/transport//require;=20 And on the client: spdadd 10.0.1.111 10.0.1.178 any -P out ipsec = esp/transport//require ah/transport//require; spdadd 10.0.1.178 10.0.1.111 any -P in ipsec = esp/transport//require ah/transport//require; Any idea how to get that working? For me it looks like if the packets arriving via IPsec are somehow = passing the firewall and are not processed by pf. I can also connect to any port from the 10.0.1.111 client on 10.0.1.178, = not just the ones I allowed in /etc/pf.conf Thank you, Philipp ------------------------------------- My /etc/pf.conf on the server: # interfaces and ips ext_if=3D"bge0" ext_ip=3D"10.0.1.178" jail_if =3D "bridge0" jailnet =3D $jail_if:network jail_netatalk_ip =3D "192.168.1.2" icmp_types =3D "{ echorep, echoreq, timex, unreach }" # groups admins =3D "{ 10.0.1.111 }" friends =3D "{ 10.0.1.111, 10.0.1.176, 10.0.1.248 }" scrub in all # dont't filter on the loopback devices set skip on lo0 # nat jails set skip on $jail_if nat on $ext_if from $jail_netatalk_ip to !$jailnet -> $ext_ip rdr on $ext_if proto tcp from any to $ext_ip port afpovertcp -> = $jail_netatalk_ip port afpovertcp # base rules block in all pass out all keep state # icmp pass in on $ext_if inet proto icmp from any to $ext_if icmp-type = $icmp_types keep state # mdns multicast pass in on $ext_if proto udp from any to 224.0.0.251/32 port 5353 keep = state # rna pass in inet proto tcp from $admins to $ext_ip port ssh pass in inet proto tcp from $friends to $ext_ip port afpovertcp pass in inet proto udp from $friends to $ext_ip port mdns # netatalk jail pass in inet proto tcp from any to $jail_netatalk_ip port afpovertcp # IPSec pass in proto esp from any to any pass in proto ah from any to any pass in proto ipencap from any to any pass in proto udp from $admins port=3D500 to $ext_ip port=3D500 pass out proto esp from any to any pass out proto ah from any to any pass out proto ipencap from any to any pass out proto udp from $ext_ip port=3D500 to $admins port=3D500=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37EFF023-E94C-4B81-BE73-B1833EF14C7C>