From owner-freebsd-net@FreeBSD.ORG Sat Jan 25 15:28:15 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B314BC00 for ; Sat, 25 Jan 2014 15:28:15 +0000 (UTC) Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3D4DB19D5 for ; Sat, 25 Jan 2014 15:28:15 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id l18so4099724wgh.29 for ; Sat, 25 Jan 2014 07:28:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:user-agent:date:message-id:mime-version :content-type:content-transfer-encoding; bh=rC7cEIapSbY6I4MOVZL4hi4vzQ9PrDrsTtQw+V2nP2g=; b=GvkgYOVVrtqyorsalTnlahF2bhZQunmM3Z6oIZlnkZO9dFjLEPelgDyNjN6ClATHqV VCqJhljw6QVnt5XkBNty1dY9KHIp65rmKWXFM6xlq/WhENSeepptvll5lkNd8VwP7+22 rl+aDpCCkHrbRvk9ZeAyntfV03YvA/jiDBbDbdDdxX3IdUSxGGwEActKCvxjeAMLuYVa YG9Dv9h1W70tLCQH7zd1u5d90+sqqAle/m4eqzPTRHLdGx5brXAl368i/fMazuhJ/YsU /bKeqszJaV1lplukGfY1WiNbX+HqRz/IOb+3QS6zVjH3UEOoF0CWxq1i0M/Gjc2OAH5t BoeQ== X-Received: by 10.180.76.168 with SMTP id l8mr6880083wiw.40.1390663693604; Sat, 25 Jan 2014 07:28:13 -0800 (PST) Received: from srvbsdfenssv.interne.associated-bears.org (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48]) by mx.google.com with ESMTPSA id dd3sm10543731wjb.9.2014.01.25.07.28.12 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 25 Jan 2014 07:28:13 -0800 (PST) Sender: Eric Masson Received: from srvbsdfenssv.interne.associated-bears.org (localhost [127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id EB8D5CF163 for ; Sat, 25 Jan 2014 16:28:11 +0100 (CET) X-Virus-Scanned: amavisd-new at interne.associated-bears.org Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1]) by srvbsdfenssv.interne.associated-bears.org (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1QpDaAb2A18 for ; Sat, 25 Jan 2014 16:28:10 +0100 (CET) Received: by srvbsdfenssv.interne.associated-bears.org (Postfix, from userid 1001) id 3726DCF0E5; Sat, 25 Jan 2014 16:28:10 +0100 (CET) From: Eric Masson To: Mailing List FreeBSD Network Subject: [FreeBSD 10.0] nat before vpn, incoming packets not translated User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) X-Operating-System: FreeBSD 9.2-RELEASE-p3 amd64 Date: Sat, 25 Jan 2014 16:28:10 +0100 Message-ID: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 15:28:15 -0000 Hi, I've setup a lab to experiment nat before ipsec scenario. Architecture : - 3 host only interfaces have been set up on the host - 4 FreeBSD10 guests have been set up : - 2 clients connected to their respective gateways via dedicated host only interfaces. - 2 gateways connected together via dedicated host only interface Client 1 setup : <-----------------------------------------------------------------> emss@client1:~ % more /etc/rc.conf hostname="client1" keymap="fr.iso.acc.kbd" ifconfig_em0="inet 192.168.11.100 netmask 255.255.255.0" ifconfig_em0_ipv6="inet6 accept_rtadv" defaultrouter="192.168.11.15" sshd_enable="YES" dumpdev="AUTO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" <-----------------------------------------------------------------> Gateway 1 setup : <-----------------------------------------------------------------> emss@gateway1:~ % more /etc/rc.conf hostname="gateway1" keymap="fr.iso.acc.kbd" ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0" ifconfig_em1_ipv6="inet6 accept_rtadv" ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0" gateway_enable="YES" ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" emss@gateway1:~ % more /etc/ipfw.rules #!/bin/sh cmd="/sbin/ipfw" $cmd -f flush $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24 $cmd nat 100 config log ip 172.16.0.1 reverse emss@gateway1:~ % more /etc/ipsec.conf flush; spdflush; add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec ipcomp/tunnel/10.0.0.6-10.0.0.5/require esp/tunnel/10.0.0.6-10.0.0.5/require; spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec ipcomp/tunnel/10.0.0.5-10.0.0.6/require esp/tunnel/10.0.0.5-10.0.0.6/require; emss@gateway1:~ % more /boot/loader.conf ipfw_load="YES" ipfw_nat_load="YES" net.inet.ip.fw.default_to_accept="1" <-----------------------------------------------------------------> Gateway 2 setup : <-----------------------------------------------------------------> emss@gateway2:~ % more /etc/rc.conf hostname="gateway2" keymap="fr.iso.acc.kbd" ifconfig_em1="inet 10.0.0.6 netmask 255.255.255.0" ifconfig_em0="inet 192.168.21.15 netmask 255.255.255.0" ifconfig_em0_ipv6="inet6 accept_rtadv" gateway_enable="YES" ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" emss@gateway2:~ % more /etc/ipsec.conf flush; spdflush; add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; spdadd 192.168.21.0/24 172.16.0.1/32 any -P out ipsec ipcomp/tunnel/10.0.0.6-10.0.0.5/require esp/tunnel/10.0.0.6-10.0.0.5/require; spdadd 172.16.0.1/32 192.168.21.0/24 any -P in ipsec ipcomp/tunnel/10.0.0.5-10.0.0.6/require esp/tunnel/10.0.0.5-10.0.0.6/require; <-----------------------------------------------------------------> Client 2 setup : <-----------------------------------------------------------------> emss@client2:~ % more /etc/rc.conf hostname="client2" keymap="fr.iso.acc.kbd" ifconfig_em0="inet 192.168.21.100 netmask 255.255.255.0" ifconfig_em0_ipv6="inet6 accept_rtadv" defaultrouter="192.168.21.15" sshd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" <-----------------------------------------------------------------> Test setup by pinging client2 from client1 : On client1 : emss@client1:~ % ping 192.168.21.100 PING 192.168.21.100 (192.168.21.100): 56 data bytes On gateway1 inside interface : root@gateway1:~ # tcpdump -i em1 17:16:08.600154 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 10499, seq 7207, length 64 17:16:08.600660 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 59651, seq 213, length 64 ... On gateway1 outside interface : root@gateway1:~ # tcpdump -i em0 17:16:48.501317 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed4), length 128 17:16:48.501612 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed5), length 128 17:16:48.502665 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e67), length 128 17:16:48.502938 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e68), length 128 ... On client2 : root@client2:~ # tcpdump -i em0 17:14:17.671181 IP 172.16.0.1 > 192.168.21.100: ICMP echo request, id 59651, seq 107, length 64 17:14:17.671230 IP 192.168.21.100 > 172.16.0.1: ICMP echo reply, id 59651, seq 107, length 64 ... So, the only remaining issue is that gateway1 doesn't nat back ipsec decapsulated packets (if no nat in scenario, everything works fine). Setting net.inet.ip.fw.one_pass to 0 doesn't change anything. Any idea, please ? Regards Éric Masson -- R: >>gruik! gruik! jâðaaaaadooooore les incon*gruik*tés! :P ¯¯¯ ¯¯ c'est pas bien mon RoDouDou! tu t'obstines avec ton unicode incomplet! -+-I in : Unicode toujours, tu m'interresse -+-