From owner-freebsd-net@FreeBSD.ORG Wed Jan 29 17:52:09 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B8EA5F62; Wed, 29 Jan 2014 17:52:09 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1C1791431; Wed, 29 Jan 2014 17:52:08 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id m15so4292086wgh.14 for ; Wed, 29 Jan 2014 09:52:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:in-reply-to:references:user-agent:date :message-id:mime-version:content-type:content-transfer-encoding; bh=BW+s0IikF17BwEWylDYMo/dIXE7UbD34hNvQceEjF4Y=; b=kBn8LIMYJ88b3FmLh7YtPHYpq7pZp66z+V3FeUOfWJfPEVB2UvtOiq/UJqS4Y1Fhvt gg8KUbgFMQn7B7EmY49MhOTMqr+ltg8iDHaVacxN2GokEoeTHtHGtFeKzlQ5EF0+YBlP 2iOhthjPP+2xv5fsLNwo/JIppj/fB07Sc5d0KCn8CR6Xjd8VbfpWEpdohj1Xbdz/wGcF v9Up0RErMpKRHclkVjC28fIx09htUaU/vrGNdpwhbzNgdtvDafpPBebh4CI7jExXLm7Q li28ntjeaWEveSdWE11Qi2qJv+bTU8mlxu7W/s7uUXAHaiOvSAmbOk5cMZgNNlZXH/Hf rukA== X-Received: by 10.180.207.15 with SMTP id ls15mr6586868wic.50.1391017927580; Wed, 29 Jan 2014 09:52:07 -0800 (PST) Received: from srvbsdfenssv.interne.associated-bears.org (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48]) by mx.google.com with ESMTPSA id cm5sm6911830wid.5.2014.01.29.09.52.06 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 29 Jan 2014 09:52:07 -0800 (PST) Sender: Eric Masson Received: from srvbsdfenssv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id DB51ACF0CB; Wed, 29 Jan 2014 18:52:05 +0100 (CET) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwz9VeNOhd96; Wed, 29 Jan 2014 18:52:05 +0100 (CET) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id 0402ACF1AF; Wed, 29 Jan 2014 18:52:05 +0100 (CET) From: Eric Masson To: Mailing List FreeBSD Network , Mailing List FreeBSD ipfw Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated In-Reply-To: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> (Eric Masson's message of "Sat, 25 Jan 2014 16:28:10 +0100") References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) X-Operating-System: FreeBSD 9.2-RELEASE-p3 amd64 Date: Wed, 29 Jan 2014 18:52:04 +0100 Message-ID: <861tzqwu9n.fsf@srvbsdfenssv.interne.associated-bears.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 17:52:09 -0000 Eric Masson writes: Hi, No idea on this subject ? forwarding to freebsd-ipfw. Regards Éric Masson > Hi, > > I've setup a lab to experiment nat before ipsec scenario. > Architecture : > - 3 host only interfaces have been set up on the host > - 4 FreeBSD10 guests have been set up : > - 2 clients connected to their respective gateways via dedicated host > only interfaces. > - 2 gateways connected together via dedicated host only interface > > Client 1 setup : > <-----------------------------------------------------------------> > emss@client1:~ % more /etc/rc.conf > hostname="client1" > keymap="fr.iso.acc.kbd" > ifconfig_em0="inet 192.168.11.100 netmask 255.255.255.0" > ifconfig_em0_ipv6="inet6 accept_rtadv" > defaultrouter="192.168.11.15" > sshd_enable="YES" > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > <-----------------------------------------------------------------> > > Gateway 1 setup : > <-----------------------------------------------------------------> > emss@gateway1:~ % more /etc/rc.conf > hostname="gateway1" > keymap="fr.iso.acc.kbd" > ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0" > ifconfig_em1_ipv6="inet6 accept_rtadv" > ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0" > gateway_enable="YES" > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_logging="YES" > sshd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > emss@gateway1:~ % more /etc/ipfw.rules > #!/bin/sh > cmd="/sbin/ipfw" > $cmd -f flush > $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24 > $cmd nat 100 config log ip 172.16.0.1 reverse > emss@gateway1:~ % more /etc/ipsec.conf > flush; > spdflush; > > add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; > add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; > > add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; > add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; > > spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec > ipcomp/tunnel/10.0.0.6-10.0.0.5/require > esp/tunnel/10.0.0.6-10.0.0.5/require; > > spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec > ipcomp/tunnel/10.0.0.5-10.0.0.6/require > esp/tunnel/10.0.0.5-10.0.0.6/require; > emss@gateway1:~ % more /boot/loader.conf > ipfw_load="YES" > ipfw_nat_load="YES" > > net.inet.ip.fw.default_to_accept="1" > <-----------------------------------------------------------------> > > Gateway 2 setup : > <-----------------------------------------------------------------> > emss@gateway2:~ % more /etc/rc.conf > hostname="gateway2" > keymap="fr.iso.acc.kbd" > ifconfig_em1="inet 10.0.0.6 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.21.15 netmask 255.255.255.0" > ifconfig_em0_ipv6="inet6 accept_rtadv" > gateway_enable="YES" > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > sshd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > emss@gateway2:~ % more /etc/ipsec.conf > flush; > spdflush; > > add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; > add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; > > add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; > add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; > > spdadd 192.168.21.0/24 172.16.0.1/32 any -P out ipsec > ipcomp/tunnel/10.0.0.6-10.0.0.5/require > esp/tunnel/10.0.0.6-10.0.0.5/require; > > spdadd 172.16.0.1/32 192.168.21.0/24 any -P in ipsec > ipcomp/tunnel/10.0.0.5-10.0.0.6/require > esp/tunnel/10.0.0.5-10.0.0.6/require; > <-----------------------------------------------------------------> > > Client 2 setup : > <-----------------------------------------------------------------> > emss@client2:~ % more /etc/rc.conf > hostname="client2" > keymap="fr.iso.acc.kbd" > ifconfig_em0="inet 192.168.21.100 netmask 255.255.255.0" > ifconfig_em0_ipv6="inet6 accept_rtadv" > defaultrouter="192.168.21.15" > sshd_enable="YES" > # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable > dumpdev="AUTO" > sendmail_enable="NO" > sendmail_submit_enable="NO" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="NO" > <-----------------------------------------------------------------> > > Test setup by pinging client2 from client1 : > > On client1 : > emss@client1:~ % ping 192.168.21.100 > PING 192.168.21.100 (192.168.21.100): 56 data bytes > > On gateway1 inside interface : > > root@gateway1:~ # tcpdump -i em1 > 17:16:08.600154 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 10499, seq 7207, length 64 > 17:16:08.600660 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 59651, seq 213, length 64 > ... > > On gateway1 outside interface : > root@gateway1:~ # tcpdump -i em0 > 17:16:48.501317 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed4), length 128 > 17:16:48.501612 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed5), length 128 > 17:16:48.502665 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e67), length 128 > 17:16:48.502938 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e68), length 128 > ... > > On client2 : > root@client2:~ # tcpdump -i em0 > 17:14:17.671181 IP 172.16.0.1 > 192.168.21.100: ICMP echo request, id 59651, seq 107, length 64 > 17:14:17.671230 IP 192.168.21.100 > 172.16.0.1: ICMP echo reply, id 59651, seq 107, length 64 > ... > > So, the only remaining issue is that gateway1 doesn't nat back ipsec > decapsulated packets (if no nat in scenario, everything works fine). > > Setting net.inet.ip.fw.one_pass to 0 doesn't change anything. > > Any idea, please ? > > Regards > > Éric Masson -- Intéressant votre témoignage, quoique un peu long. Pourriez-vous en écrire davantage ! -+- LL in GNU n'a qu'un mot à dire : assez, encore ! -+-