Date: Tue, 25 Jul 2017 14:17:53 +0200 From: "Muenz, Michael" <m.muenz@spam-fetish.org> To: freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org> In-Reply-To: <ada882bb-7344-49c5-0e47-e1432f27f1c9@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org> <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru> <ada882bb-7344-49c5-0e47-e1432f27f1c9@spam-fetish.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 25.07.2017 um 10:43 schrieb Muenz, Michael:
> Am 25.07.2017 um 10:22 schrieb Andrey V. Elsukov:
>>
>> ICMP request should be matched by outbound IPsec policy. Looking to your
>> tcpdump, you use tunnel IPsec mode. So, how this should work:
>>
>> * 10.26.2.N sends ICMP request to 10.24.66.25
>>
>> * 10.26.1.1 handles it by tunnel mode IPsec security policy,
>> something like:
>> spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \
>> esp/tunnel/213.244.192.191-81.24.74.3/require;
>> * IPsec code does lookup for IPsec SA and uses something like:
>> add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...;
>
> Thanks for the detailed explaination! I only know the insights with
> Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0
> to 10.24.66.0.
> So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done
> before getting to the IPSEC process.
> In Linux a packet not matching a SA would simply be dropped by kernel
> or throw a "NO PROPOSAL CHOSEN" since there's no known SA for
> 10.26.2.0 to 10.24.66.0.
>
> I'll try to reach out the OPNsense guys if they are willing to patch a
> new kernel for me.
>
> Thanks!
>
> Michael
This is the output with the new kernel:
14:02:53.960436 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0,
ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28, bad
cksum b07 (->c07)!)
10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8
14:02:53.960460 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0,
ttl 64, id 32607, offset 0, flags [none], proto IPIP (4), length 48, bad
cksum 0 (->c99b)!)
213.244.192.191 > 81.24.74.3: IP (tos 0x0, ttl 63, id 6287, offset
0, flags [none], proto ICMP (1), length 28)
10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8
14:02:53.968634 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0,
ttl 58, id 18352, offset 0, flags [none], proto IPIP (4), length 48)
81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 38328, offset
0, flags [none], proto ICMP (1), length 28)
10.24.66.25 > 10.26.1.1: ICMP echo reply, id 38600, seq 0, length 8
14:02:53.968653 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0,
ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28)
10.26.1.1 > 10.26.1.1: ICMP echo reply, id 44919, seq 0, length 8
So the most specific nat rule in order to get the packet into enc0 is:
ipfw nat 1 config ip 10.26.1.1 log reverse
ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
Thanks!
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?860b48aa-b99e-7b71-3724-587ee0a7fe80>