Date: Mon, 10 Oct 2022 19:13:50 +0200 From: infoomatic <infoomatic@gmx.at> To: pf@freebsd.org Subject: Re: PF: nat on ipsec Message-ID: <9d014241-53e0-99dd-4e4e-283fb40c10bd@gmx.at> In-Reply-To: <CADsrzyaXoD9a86q1a3GD=kfUZtscYsgK1uBf0a5v3=e3AqWL2w@mail.gmail.com> References: <c35f847b-60cd-fa48-66ae-66c48e3729b1@gmx.at> <e3d77559-8894-5b49-0993-b2988d6fd553@shrew.net> <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> <bfb2f2d0-8fdb-52b4-1d9b-2baea2a5d983@shrew.net> <CADsrzyaXoD9a86q1a3GD=kfUZtscYsgK1uBf0a5v3=e3AqWL2w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------UuMV0yrLoj0v70HRyQCRiXVQ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10.10.22 17:59, Andr=C3=A9 S. Almeida wrote: > Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it > needs to be active for NAT to work with IPSec > thank you, unfortunately this did not change anything. > IPsec traffic flow is complicated. Have a look at enc. It's been > instrumental in helping me fix this class of issue in several > instances. > YMMV. > > https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4 > <https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4>; > > Good luck! :) > thanks. Yeah I know, that's why I have always tried to stick to OpenVPN, however, with AWS it's not (yet?) possible. I just don't get it why on earth I need to tinker around on the host when the tunnel is being created inside the opnsense VM, and sadly the solution on Linux consists of just 2 simple iptables rules (basically rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic). --------------UuMV0yrLoj0v70HRyQCRiXVQ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-= 8"> </head> <body text=3D"#000000" bgcolor=3D"#FFFFFF"> <div class=3D"moz-cite-prefix">On 10.10.22 17:59, Andr=C3=A9 S. Almeid= a wrote:<br> </div> <blockquote type=3D"cite" cite=3D"mid:CADsrzyaXoD9a86q1a3GD=3DkfUZtscYsgK1uBf0a5v3=3De3AqWL2w@mail.g= mail.com"> <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUT= F-8"> <div dir=3D"auto">Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it needs to be active for NAT to work with IPSec<br> </div> <div><br> </div> </blockquote> <p>thank you, unfortunately this did not change anything.<br> </p> <br> <blockquote type=3D"cite" cite=3D"mid:CADsrzyaXoD9a86q1a3GD=3DkfUZtscYsgK1uBf0a5v3=3De3AqWL2w@mail.g= mail.com"> <div dir=3D"auto"> <div class=3D"gmail_quote"> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> IPsec traffic flow is complicated. Have a look at enc. It's been <br> instrumental in helping me fix this class of issue in several instances. <br> YMMV.<br> <br> <a href=3D"https://www.freebsd.org/cgi/man.cgi?query=3Denc&= sektion=3D4" rel=3D"noreferrer" target=3D"_blank" moz-do-not-send=3D"true= ">https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4</a><br>; <br> Good luck! :)</blockquote> </div> </div> </blockquote> <p>thanks. Yeah I know, that's why I have always tried to stick to OpenVPN, however, with AWS it's not (yet?) possible.</p> <p>I just don't get it why on earth I need to tinker around on the host when the tunnel is being created inside the opnsense VM, and sadly the solution on Linux consists of just 2 simple iptables rules (basically rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic).<br> </p> <p><br> </p> </body> </html> --------------UuMV0yrLoj0v70HRyQCRiXVQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9d014241-53e0-99dd-4e4e-283fb40c10bd>