From owner-freebsd-net@freebsd.org  Tue Jul 25 07:35:48 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7C49DBCE17
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 25 Jul 2017 07:35:48 +0000 (UTC)
 (envelope-from m.muenz@spam-fetish.org)
Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 81A396C0B3
 for <freebsd-net@freebsd.org>; Tue, 25 Jul 2017 07:35:47 +0000 (UTC)
 (envelope-from m.muenz@spam-fetish.org)
Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215])
 by mailout-02.maxonline.de (Postfix) with ESMTPS id C21EE4A
 for <freebsd-net@freebsd.org>; Tue, 25 Jul 2017 09:35:45 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by web03-01.max-it.de (Postfix) with ESMTP id BC59E28B849
 for <freebsd-net@freebsd.org>; Tue, 25 Jul 2017 09:35:45 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de
Received: from web03-01.max-it.de ([127.0.0.1])
 by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id JOECMN4SlUSU for <freebsd-net@freebsd.org>;
 Tue, 25 Jul 2017 09:35:45 +0200 (CEST)
Received: from [81.24.66.132] (unknown [81.24.66.132])
 (Authenticated sender: m.muenz@spam-fetish.org)
 by web03-01.max-it.de (Postfix) with ESMTPA id 8B8B328B847
 for <freebsd-net@freebsd.org>; Tue, 25 Jul 2017 09:35:45 +0200 (CEST)
Subject: Re: NAT before IPSEC - reply packets stuck at enc0
To: freebsd-net@freebsd.org
References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org>
 <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru>
 <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org>
 <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru>
 <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org>
 <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru>
 <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org>
 <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru>
 <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org>
 <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru>
 <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org>
 <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru>
 <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org>
 <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru>
From: "Muenz, Michael" <m.muenz@spam-fetish.org>
Message-ID: <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org>
Date: Tue, 25 Jul 2017 09:36:50 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 07:35:48 -0000

Am 24.07.2017 um 19:01 schrieb Andrey V. Elsukov:
>
> .1.1: ICMP echo reply, id 33347, seq 28416, length 8
> This does not match with what I expected to see. The reply here should
> be something like "10.24.66.25 > 10.26.2.N: ICMP echo reply".
>
> It seems the problem is with ipfw_nat, that for both directions thinks
> that packets are inbound and this leads to incorrect translation.
>
> Can you modify your IPsec security policies, so outgoing packets from
> 10.26.2.0/24 will go through the same tunnel? Then you need to modify
> nat rule:
>
> ipfw nat 1 config ip 10.26.1.1
> ipfw add 179 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0
> ipfw add 179 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0
>

Hi,

when I change it to

out xmit enc0

nothing happens because the packets have to math the IPSEC SA before 
entering the tunnel (and enc0 I guess).
So it has to be

in recv vtnet1

to be more precise, but then it's the same result:

09:29:11.092932 (authentic,confidential): SPI 0x2478d746: IP (tos 0x0, 
ttl 63, id 54367, offset 0, flags [none], proto ICMP (1), length 28, bad 
cksum 4f36 (->5036)!)
     10.26.1.1 > 10.24.66.25: ICMP echo request, id 48914, seq 34304, 
length 8
09:29:11.101524 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0, 
ttl 58, id 51185, offset 0, flags [none], proto IPIP (4), length 48)
     81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 5299, offset 
0, flags [none], proto ICMP (1), length 28)
     10.24.66.25 > 10.26.1.1: ICMP echo reply, id 48914, seq 34304, length 8
09:29:11.101535 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0, 
ttl 63, id 5299, offset 0, flags [none], proto ICMP (1), length 28)
     10.26.1.1 > 10.26.1.1: ICMP echo reply, id 33409, seq 34304, length 8

Thanks,
Michael