Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jul 2017 10:43:56 +0200
From:      "Muenz, Michael" <m.muenz@spam-fetish.org>
To:        freebsd-net@freebsd.org
Subject:   Re: NAT before IPSEC - reply packets stuck at enc0
Message-ID:  <ada882bb-7344-49c5-0e47-e1432f27f1c9@spam-fetish.org>
In-Reply-To: <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru>
References:  <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Am 25.07.2017 um 10:22 schrieb Andrey V. Elsukov:
>
> ICMP request should be matched by outbound IPsec policy. Looking to your
> tcpdump, you use tunnel IPsec mode. So, how this should work:
>
> * 10.26.2.N sends ICMP request to 10.24.66.25
>
> * 10.26.1.1 handles it by tunnel mode IPsec security policy, something like:
> 	spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \
> 	    esp/tunnel/213.244.192.191-81.24.74.3/require;
> * IPsec code does lookup for IPsec SA and uses something like:
> 	add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...;

Thanks for the detailed explaination! I only know the insights with 
Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0 to 
10.24.66.0.
So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done 
before getting to the IPSEC process.
In Linux a packet not matching a SA would simply be dropped by kernel or 
throw a "NO PROPOSAL CHOSEN" since there's no known SA for 10.26.2.0 to 
10.24.66.0.

I'll try to reach out the OPNsense guys if they are willing to patch a 
new kernel for me.

Thanks!

Michael



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ada882bb-7344-49c5-0e47-e1432f27f1c9>