From owner-freebsd-net@FreeBSD.ORG Sun Feb 16 14:48:04 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 84081FDE for ; Sun, 16 Feb 2014 14:48:04 +0000 (UTC) Received: from mail.schmidp.com (mail.schmidp.com [IPv6:2a01:4f8:120:4ffe::9]) by mx1.freebsd.org (Postfix) with ESMTP id 14CE1137F for ; Sun, 16 Feb 2014 14:48:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.schmidp.com (Postfix) with ESMTP id D3DA25801F4 for ; Sun, 16 Feb 2014 15:52:19 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail.schmidp.com Received: from mail.schmidp.com ([127.0.0.1]) by localhost (dna.schmidp.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caHIHZB3mnHR for ; Sun, 16 Feb 2014 15:52:16 +0100 (CET) Received: from charlie.lan (chello213047013064.west2.11.vie.surfer.at [213.47.13.64]) by mail.schmidp.com (Postfix) with ESMTPSA id C81795801C2 for ; Sun, 16 Feb 2014 15:52:15 +0100 (CET) From: Philipp Schmid Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Subject: IPSEC transport mode and PF NAT to VIMAGE Jail Message-Id: <37EFF023-E94C-4B81-BE73-B1833EF14C7C@openresearch.com> Date: Sun, 16 Feb 2014 15:47:56 +0100 To: freebsd-net@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) X-Mailer: Apple Mail (2.1827) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Feb 2014 14:48:04 -0000 Hi, I=92m having trouble connecting to a NATted VNET jail from a client that = uses IPsec in transport mode between the client and the server where the = jail is hosted on. The basic setup looks like: Laptop (10.0.1.111) <=97=97=97 IPSec transport mode =97=97=97> = FreeBSD 10 Server (10.0.1.178) On the server I have a bridge called bridge0 that has the IP address = 192.168.1.1 A freebsd 10 jail is running on the server with the IP 192.168.1.2 The server at 10.0.1.178 has NAT configured for 192.168.1.0/24 and = redirects port 548 to 192.168.1.2. What I=92d like to achieve is that the laptop connects is able to = connect to port 548 on the server which is redirected to port 548 in the = jail: Laptop (10.0.1.111) =97=97> 10.0.1.178 port 548 =97=97> NAT =97=97= > 192.168.1.2 port 548 (doesn=92t work) (10.0.1.1.111)$ telnet 10.0.1.178 548 Trying 10.0.1.178... telnet: connect to address 10.0.1.178: Connection refused telnet: Unable to connect to remote host I have this working for clients which do not use IPsec, eg: Other Laptop (10.0.1.248) =97=97> 10.0.1.178 port 548 =97=97> = NAT =97=97> 192.168.1.2 port 548 (DOES work) (10.0.1.248)$ telnet 10.0.1.178 548 Trying 10.0.1.178=85 Connected to 10.0.1.178. Escape character is '^]'. The IPSec tunnel between 10.0.1.111 and 10.0.1.178 is also working = correctly and I can connect to any port on the 10.0.1.178 server from = the 10.0.1.111 client. This is the spd policy on the server: spdadd 10.0.1.178 10.0.1.111 any -P out ipsec = esp/transport//require ah/transport//require; spdadd 10.0.1.111 10.0.1.178 any -P in ipsec = esp/transport//require ah/transport//require;=20 And on the client: spdadd 10.0.1.111 10.0.1.178 any -P out ipsec = esp/transport//require ah/transport//require; spdadd 10.0.1.178 10.0.1.111 any -P in ipsec = esp/transport//require ah/transport//require; Any idea how to get that working? For me it looks like if the packets arriving via IPsec are somehow = passing the firewall and are not processed by pf. I can also connect to any port from the 10.0.1.111 client on 10.0.1.178, = not just the ones I allowed in /etc/pf.conf Thank you, Philipp ------------------------------------- My /etc/pf.conf on the server: # interfaces and ips ext_if=3D"bge0" ext_ip=3D"10.0.1.178" jail_if =3D "bridge0" jailnet =3D $jail_if:network jail_netatalk_ip =3D "192.168.1.2" icmp_types =3D "{ echorep, echoreq, timex, unreach }" # groups admins =3D "{ 10.0.1.111 }" friends =3D "{ 10.0.1.111, 10.0.1.176, 10.0.1.248 }" scrub in all # dont't filter on the loopback devices set skip on lo0 # nat jails set skip on $jail_if nat on $ext_if from $jail_netatalk_ip to !$jailnet -> $ext_ip rdr on $ext_if proto tcp from any to $ext_ip port afpovertcp -> = $jail_netatalk_ip port afpovertcp # base rules block in all pass out all keep state # icmp pass in on $ext_if inet proto icmp from any to $ext_if icmp-type = $icmp_types keep state # mdns multicast pass in on $ext_if proto udp from any to 224.0.0.251/32 port 5353 keep = state # rna pass in inet proto tcp from $admins to $ext_ip port ssh pass in inet proto tcp from $friends to $ext_ip port afpovertcp pass in inet proto udp from $friends to $ext_ip port mdns # netatalk jail pass in inet proto tcp from any to $jail_netatalk_ip port afpovertcp # IPSec pass in proto esp from any to any pass in proto ah from any to any pass in proto ipencap from any to any pass in proto udp from $admins port=3D500 to $ext_ip port=3D500 pass out proto esp from any to any pass out proto ah from any to any pass out proto ipencap from any to any pass out proto udp from $ext_ip port=3D500 to $admins port=3D500=