Date: Wed, 29 Jan 2014 18:52:04 +0100 From: Eric Masson <emss@free.fr> To: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>, Mailing List FreeBSD ipfw <freebsd-ipfw@freebsd.org> Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated Message-ID: <861tzqwu9n.fsf@srvbsdfenssv.interne.associated-bears.org> In-Reply-To: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> (Eric Masson's message of "Sat, 25 Jan 2014 16:28:10 %2B0100") References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Masson <emss@free.fr> writes: Hi, No idea on this subject ? forwarding to freebsd-ipfw. Regards Éric Masson > Hi, > > I've setup a lab to experiment nat before ipsec scenario. > Architecture : > - 3 host only interfaces have been set up on the host > - 4 FreeBSD10 guests have been set up : > - 2 clients connected to their respective gateways via dedicated host > only interfaces. > - 2 gateways connected together via dedicated host only interface > > Client 1 setup : > <-----------------------------------------------------------------> > emss@client1:~ % more /etc/rc.conf > hostname="client1" > keymap="fr.iso.acc.kbd" > ifconfig_em0="inet 192.168.11.100 netmask 255.255.255.0" > ifconfig_em0_ipv6="inet6 accept_rtadv" > defaultrouter="192.168.11.15" > sshd_enable="YES" > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > <-----------------------------------------------------------------> > > Gateway 1 setup : > <-----------------------------------------------------------------> > emss@gateway1:~ % more /etc/rc.conf > hostname="gateway1" > keymap="fr.iso.acc.kbd" > ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0" > ifconfig_em1_ipv6="inet6 accept_rtadv" > ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0" > gateway_enable="YES" > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_logging="YES" > sshd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > emss@gateway1:~ % more /etc/ipfw.rules > #!/bin/sh > cmd="/sbin/ipfw" > $cmd -f flush > $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24 > $cmd nat 100 config log ip 172.16.0.1 reverse > emss@gateway1:~ % more /etc/ipsec.conf > flush; > spdflush; > > add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; > add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; > > add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; > add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; > > spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec > ipcomp/tunnel/10.0.0.6-10.0.0.5/require > esp/tunnel/10.0.0.6-10.0.0.5/require; > > spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec > ipcomp/tunnel/10.0.0.5-10.0.0.6/require > esp/tunnel/10.0.0.5-10.0.0.6/require; > emss@gateway1:~ % more /boot/loader.conf > ipfw_load="YES" > ipfw_nat_load="YES" > > net.inet.ip.fw.default_to_accept="1" > <-----------------------------------------------------------------> > > Gateway 2 setup : > <-----------------------------------------------------------------> > emss@gateway2:~ % more /etc/rc.conf > hostname="gateway2" > keymap="fr.iso.acc.kbd" > ifconfig_em1="inet 10.0.0.6 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.21.15 netmask 255.255.255.0" > ifconfig_em0_ipv6="inet6 accept_rtadv" > gateway_enable="YES" > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > sshd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > emss@gateway2:~ % more /etc/ipsec.conf > flush; > spdflush; > > add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; > add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; > > add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; > add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; > > spdadd 192.168.21.0/24 172.16.0.1/32 any -P out ipsec > ipcomp/tunnel/10.0.0.6-10.0.0.5/require > esp/tunnel/10.0.0.6-10.0.0.5/require; > > spdadd 172.16.0.1/32 192.168.21.0/24 any -P in ipsec > ipcomp/tunnel/10.0.0.5-10.0.0.6/require > esp/tunnel/10.0.0.5-10.0.0.6/require; > <-----------------------------------------------------------------> > > Client 2 setup : > <-----------------------------------------------------------------> > emss@client2:~ % more /etc/rc.conf > hostname="client2" > keymap="fr.iso.acc.kbd" > ifconfig_em0="inet 192.168.21.100 netmask 255.255.255.0" > ifconfig_em0_ipv6="inet6 accept_rtadv" > defaultrouter="192.168.21.15" > sshd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > <-----------------------------------------------------------------> > > Test setup by pinging client2 from client1 : > > On client1 : > emss@client1:~ % ping 192.168.21.100 > PING 192.168.21.100 (192.168.21.100): 56 data bytes > > On gateway1 inside interface : > > root@gateway1:~ # tcpdump -i em1 > 17:16:08.600154 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 10499, seq 7207, length 64 > 17:16:08.600660 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 59651, seq 213, length 64 > ... > > On gateway1 outside interface : > root@gateway1:~ # tcpdump -i em0 > 17:16:48.501317 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed4), length 128 > 17:16:48.501612 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed5), length 128 > 17:16:48.502665 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e67), length 128 > 17:16:48.502938 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e68), length 128 > ... > > On client2 : > root@client2:~ # tcpdump -i em0 > 17:14:17.671181 IP 172.16.0.1 > 192.168.21.100: ICMP echo request, id 59651, seq 107, length 64 > 17:14:17.671230 IP 192.168.21.100 > 172.16.0.1: ICMP echo reply, id 59651, seq 107, length 64 > ... > > So, the only remaining issue is that gateway1 doesn't nat back ipsec > decapsulated packets (if no nat in scenario, everything works fine). > > Setting net.inet.ip.fw.one_pass to 0 doesn't change anything. > > Any idea, please ? > > Regards > > Éric Masson -- Intéressant votre témoignage, quoique un peu long. Pourriez-vous en écrire davantage ! -+- LL in GNU n'a qu'un mot à dire : assez, encore ! -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861tzqwu9n.fsf>