From nobody Mon Oct 10 17:13:50 2022 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmQVn5f18z4fpr8 for ; Mon, 10 Oct 2022 17:13:53 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MmQVm5X3Zz4LC0 for ; Mon, 10 Oct 2022 17:13:52 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1665422031; bh=a5nsKSAU5fwqzTAqxQEaWrCe30H5HjWu50ZClbS8ld4=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=SZhEdjM8j4M6lnDiTOVWvvU2chwhU/moUgPwAVMEMBWCwj10CDI72IMncLivQEkOx 5gX4gSk+TxPhD9tcX4S3y4orjfreIPxN+quRTRtYh9XhwTjoKMzr8JSa4676QSKesy Lpq3qQS3GMIsdMXFKV0bLN7dy2XAt4e3WMPybeCs= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.225.246]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M1Hdq-1okhEa3L3K-002oZ8 for ; Mon, 10 Oct 2022 19:13:50 +0200 Content-Type: multipart/alternative; boundary="------------UuMV0yrLoj0v70HRyQCRiXVQ" Message-ID: <9d014241-53e0-99dd-4e4e-283fb40c10bd@gmx.at> Date: Mon, 10 Oct 2022 19:13:50 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Subject: Re: PF: nat on ipsec Content-Language: en-US To: pf@freebsd.org References: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at> From: infoomatic In-Reply-To: X-Provags-ID: V03:K1:kdPt9m4oCfbJv5MwkD3Ismwc7F9KRdEa14KV86fR7tn5Zw1Z15h V4TIyK0QLi6QMdRpU5ECpqjvIqxFLKiv+hD/tCCEVUymAXu61MgokUkS7sukh5PnMSe9nmS l9Tl/9hn4SNhohjXvh7e2QaibC/S7caiyHzNN7QpASRJGwMCyqG3rMj0ovho9GMfNHUTjo6 znT8rkXDCyGFhkEPS+6FA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/TDzV/4RMfQ=:o3nZMr4uxPEO1n9SsPnD5B mshr+h1Numo8ZKbIbG4wO2nUn9w97pc46QnDKgCNE7xa+NzwebgE/2tPrF7rkyKM21aHnxO5C 1MIDuuOEkmPFtojN10DhUps+1b+MmCxHqOzNDlLURjuJOFFD4XXPfzR5bGxKZAnWVL8BLBgiW xAsVtdz/4eoo8CaJosvoRsC3QAAM0B6FdfOGaw9m+94b5bsJiz7NkbSYX0q8dQqXQP07uBxaZ R0qBUHGNNh6XRUxjh2b5m5SDx/h6LbL+QSdvUsM+2gctdgn92RLFqpxsqw1lhK3AYXsuXH9Yx 55/6fiMNsmSGwkVHz82HD7zrvBmUAc0HGdUicwHOaGQhOGYpT+Dl7P4ptF+wo+n7LFXDs2eaQ 6Sj2P7kUeaby3T4UVd7XqeaXLyk2V7f4FpbIxcZasZPKv/OB37y9qZF5+j2U2Ph1YxNu8GLCw 54PqfUUzvODKaJRsnoeivcLpRA02g2/vsZf5AuY5Gz24d5X50yFnAEzOAcdJJtLvzuZx2SXMX TeSvyI4WyK5sWIVTBkW3l2tZtbYnEtEGtjUNJzVjmUFrPk5HFbeUzKaTWlDV5GP0q5QFJNJ8W YWvE2yy+e1IpnBkS6aVjXdBmA5tQRndSZhoSGITRyVP+t34ApFlmjJAFY6dqOIDCL8cZzO7ab LTDDAXF3emGtasCOmPTROu+Di6uAc8b5jGPCIlScNXd0xH/frXZluK9+bwQf2fBoc1poxshQS UFi0N+KEqynBeXJlO9DmfJpQtgBdpZ0Jdo3+pHF6NexfD6iNMaNgJ+cRaeDHenBpjxMh6Sj2g Uc30+kMyvy+TtDrVxlC+0Nw8uY+vuSaToH7gk8a1b1Fk2h7VOK33y0aJP67/mU/mzK3pTug11 4rSLN9Sp/MtdkGqADOQ4RdA6bzfhGQZcJ0jqzdswIZYhTujftga+Czg0wRtIs6E+K0X8QHUSM xK51QY8vFtALWQKWCTHGHndXUyY0+qtSUzddOjDcSQNUfvbbdzeNs7/xN7Kz9MxXVipIesriw DZnVU5wys3z4+v6//OGRXnKRiMLdD77yT1RkMAzR+dFDteiyHhPVLjdVPEo5lA2tDqLBLRHgT oyu5Mb4IyhmXgtePM6nNUhWllcJoePSeYK5C/OreaszVTO8NM0lXQ0NHGOclRZfNCa9KlEBDS soJ504jwJUKmrFv+aq/zqxIc+XANFmGSkXRBppVgOu2++hUZBLaUpora2xsQQAYSutvvOYVdX tdxDW36z3ndOJXdi9l8hkoA0G9p9z1i1/DcPM62f45Mtos9+lQMK5gocQhbHbe2GUguy72ita 2/tbXFmwCfZfNLEHeuz6Afxd6VWq7ca5OEPzZG11gL69Lpdp5xoscYf+sRdL8uxUpIbZ0DFF7 E58aroH7xnUP5OkNneNE8pe9JFB+G+hVmKDGyy5gn86CFoLWfsi+UGn5S7UvW8rMj9HFEYciW 7irWvbhltSXbjA8/c9vNmAH2FqyUNyJvtVHSdGxpEhl5OwsJdlxCWLrBzq9xXaRQsrTqst1WQ FlOMhHesv2Lll9Ubhp05ISo4IkGMfwgPQYwAPYomTn7/5 X-Rspamd-Queue-Id: 4MmQVm5X3Zz4LC0 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=SZhEdjM8; dmarc=pass (policy=none) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.17.21 as permitted sender) smtp.mailfrom=infoomatic@gmx.at X-Spamd-Result: default: False [-3.45 / 15.00]; DWL_DNSWL_LOW(-1.00)[gmx.net:dkim]; URI_COUNT_ODD(1.00)[5]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; NEURAL_HAM_LONG(-0.35)[-0.346]; R_SPF_ALLOW(-0.20)[+ip4:212.227.17.0/27:c]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.21:from]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[pf@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[gmx.net:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N This is a multi-part message in MIME format. --------------UuMV0yrLoj0v70HRyQCRiXVQ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10.10.22 17:59, Andr=C3=A9 S. Almeida wrote: > Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it > needs to be active for NAT to work with IPSec > thank you, unfortunately this did not change anything. > IPsec traffic flow is complicated. Have a look at enc. It's been > instrumental in helping me fix this class of issue in several > instances. > YMMV. > > https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4 > > > Good luck! :) > thanks. Yeah I know, that's why I have always tried to stick to OpenVPN, however, with AWS it's not (yet?) possible. I just don't get it why on earth I need to tinker around on the host when the tunnel is being created inside the opnsense VM, and sadly the solution on Linux consists of just 2 simple iptables rules (basically rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic). --------------UuMV0yrLoj0v70HRyQCRiXVQ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 10.10.22 17:59, Andr=C3=A9 S. Almeid= a wrote:
Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it needs to be active for NAT to work with IPSec

thank you, unfortunately this did not change anything.


IPsec traffic flow is complicated. Have a look at enc. It's been
instrumental in helping me fix this class of issue in several instances.
YMMV.

https://www.freebsd.org/cgi/man.cgi?query=3Denc&sektion=3D4

Good luck! :)

thanks. Yeah I know, that's why I have always tried to stick to OpenVPN, however, with AWS it's not (yet?) possible.

I just don't get it why on earth I need to tinker around on the host when the tunnel is being created inside the opnsense VM, and sadly the solution on Linux consists of just 2 simple iptables rules (basically rdr all ipv4 traffic to the vm and then nat the vms ipv4 traffic).


--------------UuMV0yrLoj0v70HRyQCRiXVQ--