From nobody Mon Oct 10 15:01:13 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmMZM6s66z4fbRt for ; Mon, 10 Oct 2022 15:01:47 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mx2.shrew.net (mx2.shrew.net [38.97.5.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmMZM1Mm2z45W6 for ; Mon, 10 Oct 2022 15:01:47 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx2.shrew.net (8.15.2/8.15.2) with ESMTP id 29AF1eOq007984 for ; Mon, 10 Oct 2022 10:01:40 -0500 (CDT) (envelope-from mgrooms@shrew.net) Received: from [10.22.200.32] (unknown [136.49.68.36]) by mail.shrew.net (Postfix) with ESMTPSA id 0C2D418C7EA for ; Mon, 10 Oct 2022 10:01:35 -0500 (CDT) Message-ID: Date: Mon, 10 Oct 2022 10:01:13 -0500 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: PF: nat on ipsec Content-Language: en-US To: pf@freebsd.org References: From: Matthew Grooms In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx2.shrew.net [10.24.10.11]); Mon, 10 Oct 2022 10:01:40 -0500 (CDT) X-Rspamd-Queue-Id: 4MmMZM1Mm2z45W6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mgrooms@shrew.net designates 38.97.5.132 as permitted sender) smtp.mailfrom=mgrooms@shrew.net X-Spamd-Result: default: False [-3.23 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.94)[-0.935]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:174, ipnet:38.0.0.0/8, country:US]; MLMMJ_DEST(0.00)[pf@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[shrew.net]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 10/10/22 02:04, infoomatic wrote: > Hi guys, > > hope someone can help me with my problem trying to NAT ipsec. The setup: > I use a FreeBSD host with an opnsense VM and a vnet jail. The host uses > em0 with an external interface, one bridge with an ipv4 address and tap > interface to connect opnsense and one bridge without ipv4 address with > tap of opnsense + epair of the jail to connect those two. Opnsense is > doing ipsec (strongswan) to our AWS infrastructure, the jail is > simulating a client on the "LAN" interface of opnsense. NAT on the host > is setup with pf and works as expected except for ipsec: so outgoing > tcp/udp packets from the jail pass through opnsense, get natted and then > pass the host where they again get natted. > > > The outgoing rules on the host > > nat pass on em0 proto udp from 192.168.251.100 to any -> $ip_out > > nat pass on em0 proto tcp from 192.168.251.100 to any -> $ip_out > > > The incoming rules redirecting ipsec traffic to opnsense > > rdr pass proto udp to $ip_out port 4500 -> 192.168.251.100 > rdr pass proto udp to $ip_out port 500 -> 192.168.251.100 > > > On the host, I can see that pf is not translating the packets, using > tcpdump on pflog0 shows me: > > 00:00:08.270916 rule 22/0(match): block out on em0: 192.168.251.100.4500 > > 3.123.51.34.4500: UDP-encap: ESP(spi=0xc1de5460,seq=0xa1), length 1272 > > 00:00:00.000010 rule 22/0(match): block out on em0: 192.168.251.100 > > 3.123.51.34: ip-proto-17 > > > where 3.123.51.34 is the ipsec endpoint on AWS side. Every other packet > outgoing from the jail shows of course the external ipv4 address, > however, as you can see above, ipsec traffic does not get translated, > packets try to pass the hosts em0 interface with the internal ipv4 > address of opnsense "WAN" interface. > > > I hope there is a solution I have not found to this strange problem, any > advice highly appreciated. Thanks! I'm not sure if I understood all the details here, but: NAT happens on egress. For traffic to be processed by IPsec, your traffic must have source and destination addresses that match the appropriate IPsec policy. Waiting until its being sent outbound ( where NAT occurs ) is usually too late. Hope this helps, -Matthew