Date: Tue, 17 Mar 2020 10:22:18 -0300 From: Cristian Cardoso <cristian.cardoso11@gmail.com> To: Artem Viklenko <artem@viklenko.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF + IPsec Message-ID: <CAKeEC-JcXCpxdFv8HKNW7jD8_kY28P05nvuBhSYKVUqrnYg69w@mail.gmail.com> In-Reply-To: <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> References: <CAKeEC-LqP-dAFCeSkCnMLU-Qw-j0KxOXLQSmQzX2poLTKZ2W0Q@mail.gmail.com> <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> <CAKeEC-JsPwx=9GcbsN5xtV2COQU8S46jjeBUNaQrRNao495cDQ@mail.gmail.com> <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I tried first that way you said, but it doesn't work, returned the expired ttl message in transit, when I try to run icmp from some host that is on a network outside freebsd, in my test only with the nat rule in enc0 Running tests from a host on another network, for example on the 10.7.8.0/24 network The way is this 10.7.8.243 -> 172.0.10.11 -> 10.19.12.251 -> vpn tunnel Without the nat rule on the xn0 interface, neither echo reply occurs within the vpn tunnel With the nat rule, on the xn0 interface, echo reply occurs within the enc0 interface, only the packet is returned outside 10.19.12.251 which does not occur for networks outside freebsd / 24 In the freebsd route table, the tunnel is configured in this way via strong= swan 10.31.32.67/32 10.19.12.251 UGS xn0 Thanks for help =3D ) Em ter., 17 de mar. de 2020 =C3=A0s 09:54, Artem Viklenko <artem@viklenko.net> escreveu: > > You don't need rdr > > nat on enc0 inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > > On 17.03.20 14:35, Cristian Cardoso wrote: > > I tried as follows without success: > > > > rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.2= 51 > > nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19.1= 2.251 > > rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.= 251 > > nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.12.= 251 > > > > xn0 is my interface that goes to the internal network that is beyond > > the freebsd and enc0 of the vpn, I just put the icmp protocol for > > testing > > I checked on tcpdump on the enc0 interface, which occurs echo request > > and echo reply, but does not return to the PC that ran icmp on another > > network within 10.0.0.0/8 > > > > Any suggestion? > > > > Em ter., 17 de mar. de 2020 =C3=A0s 02:48, Artem Viklenko > > <artem@viklenko.net> escreveu: > >> > >> Hi! > >> > >> PF do NAT on outbound and RDR on inbound. > >> You can try to do NAT on enc0 interface instead of lan. > >> > >> > >> On 17.03.20 04:28, Cristian Cardoso wrote: > >>> Hello > >>> I'm setting up a Freebsd server for ipsec vpn communication with > >>> strongswan and I'm having some difficulties in the operation > >>> > >>> The freebsd server's local network is 10.19.12.0/24 and can connect > >>> correctly to the network on the other side of the tunnel. > >>> > >>> I would like another network behind my server to connect to the tunne= l as well. > >>> > >>> In linux I would nat the network that is arriving as follows: > >>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j > >>> --SNAT --to 10.19.12.251 > >>> > >>> In FreeBSD I tried to run the rule as follows, but to no avail > >>> nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > >>> > >>> Is there any other way to generate the equivalent of FreeBSD postrout= ing? > >>> > >>> Best Regards > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >>> > >> > >> -- > >> Regards! > > > > -- > Regards!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKeEC-JcXCpxdFv8HKNW7jD8_kY28P05nvuBhSYKVUqrnYg69w>