Date: Sun, 16 Feb 2014 15:47:56 +0100 From: Philipp Schmid <philipp.schmid@openresearch.com> To: freebsd-net@freebsd.org Subject: IPSEC transport mode and PF NAT to VIMAGE Jail Message-ID: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com>
next in thread | raw e-mail | index | archive | help
Hi,
I=92m having trouble connecting to a NATted VNET jail from a client that =
uses IPsec in transport mode between the client and the server where the =
jail is hosted on.
The basic setup looks like:
Laptop (10.0.1.111) <=97=97=97 IPSec transport mode =97=97=97> =
FreeBSD 10 Server (10.0.1.178)
On the server I have a bridge called bridge0 that has the IP address =
192.168.1.1
A freebsd 10 jail is running on the server with the IP 192.168.1.2
The server at 10.0.1.178 has NAT configured for 192.168.1.0/24 and =
redirects port 548 to 192.168.1.2.
What I=92d like to achieve is that the laptop connects is able to =
connect to port 548 on the server which is redirected to port 548 in the =
jail:
Laptop (10.0.1.111) =97=97> 10.0.1.178 port 548 =97=97> NAT =97=97=
> 192.168.1.2 port 548 (doesn=92t work)
(10.0.1.1.111)$ telnet 10.0.1.178 548
Trying 10.0.1.178...
telnet: connect to address 10.0.1.178: Connection refused
telnet: Unable to connect to remote host
I have this working for clients which do not use IPsec, eg:
Other Laptop (10.0.1.248) =97=97> 10.0.1.178 port 548 =97=97> =
NAT =97=97> 192.168.1.2 port 548 (DOES work)
(10.0.1.248)$ telnet 10.0.1.178 548
Trying 10.0.1.178=85
Connected to 10.0.1.178.
Escape character is '^]'.
The IPSec tunnel between 10.0.1.111 and 10.0.1.178 is also working =
correctly and I can connect to any port on the 10.0.1.178 server from =
the 10.0.1.111 client.
This is the spd policy on the server:
spdadd 10.0.1.178 10.0.1.111 any -P out ipsec =
esp/transport//require ah/transport//require;
spdadd 10.0.1.111 10.0.1.178 any -P in ipsec =
esp/transport//require ah/transport//require;=20
And on the client:
spdadd 10.0.1.111 10.0.1.178 any -P out ipsec =
esp/transport//require ah/transport//require;
spdadd 10.0.1.178 10.0.1.111 any -P in ipsec =
esp/transport//require ah/transport//require;
Any idea how to get that working?
For me it looks like if the packets arriving via IPsec are somehow =
passing the firewall and are not processed by pf.
I can also connect to any port from the 10.0.1.111 client on 10.0.1.178, =
not just the ones I allowed in /etc/pf.conf
Thank you, Philipp
-------------------------------------
My /etc/pf.conf on the server:
# interfaces and ips
ext_if=3D"bge0"
ext_ip=3D"10.0.1.178"
jail_if =3D "bridge0"
jailnet =3D $jail_if:network
jail_netatalk_ip =3D "192.168.1.2"
icmp_types =3D "{ echorep, echoreq, timex, unreach }"
# groups
admins =3D "{ 10.0.1.111 }"
friends =3D "{ 10.0.1.111, 10.0.1.176, 10.0.1.248 }"
scrub in all
# dont't filter on the loopback devices
set skip on lo0
# nat jails
set skip on $jail_if
nat on $ext_if from $jail_netatalk_ip to !$jailnet -> $ext_ip
rdr on $ext_if proto tcp from any to $ext_ip port afpovertcp -> =
$jail_netatalk_ip port afpovertcp
# base rules
block in all
pass out all keep state
# icmp
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type =
$icmp_types keep state
# mdns multicast
pass in on $ext_if proto udp from any to 224.0.0.251/32 port 5353 keep =
state
# rna
pass in inet proto tcp from $admins to $ext_ip port ssh
pass in inet proto tcp from $friends to $ext_ip port afpovertcp
pass in inet proto udp from $friends to $ext_ip port mdns
# netatalk jail
pass in inet proto tcp from any to $jail_netatalk_ip port afpovertcp
# IPSec
pass in proto esp from any to any
pass in proto ah from any to any
pass in proto ipencap from any to any
pass in proto udp from $admins port=3D500 to $ext_ip port=3D500
pass out proto esp from any to any
pass out proto ah from any to any
pass out proto ipencap from any to any
pass out proto udp from $ext_ip port=3D500 to $admins port=3D500=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37EFF023-E94C-4B81-BE73-B1833EF14C7C>