Date: Thu, 06 Mar 2014 21:48:17 -0500 From: "John W. O'Brien" <john@saltant.com> To: Eric Masson <emss@free.fr> Cc: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org> Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated Message-ID: <53193371.4090603@saltant.com> In-Reply-To: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hi Eric,
On 1/25/14 10:28 AM, Eric Masson wrote:
> Hi,
>=20
> I've setup a lab to experiment nat before ipsec scenario.
> Architecture :
> - 3 host only interfaces have been set up on the host
> - 4 FreeBSD10 guests have been set up :
> - 2 clients connected to their respective gateways via dedicated host=
> only interfaces.
> - 2 gateways connected together via dedicated host only interface
Trimming configs for clarity
> Gateway 1 setup :
> <----------------------------------------------------------------->
> emss@gateway1:~ % more /etc/rc.conf
> hostname=3D"gateway1"
> ifconfig_em1=3D"inet 192.168.11.15 netmask 255.255.255.0"
> ifconfig_em0=3D"inet 10.0.0.5 netmask 255.255.255.0"
> gateway_enable=3D"YES"
> ipsec_enable=3D"YES"
> ipsec_file=3D"/etc/ipsec.conf"
> firewall_enable=3D"YES"
> firewall_script=3D"/etc/ipfw.rules"
> firewall_logging=3D"YES"
> emss@gateway1:~ % more /etc/ipfw.rules
> #!/bin/sh
> cmd=3D"/sbin/ipfw"
> $cmd -f flush
> $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
You also need to perform NAT processing on the traffic that returns to
gateway1 from gateway2.
$cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1
> $cmd nat 100 config log ip 172.16.0.1 reverse
> emss@gateway1:~ % more /etc/ipsec.conf
> flush;
> spdflush;
>=20
> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"=
;
> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"=
;
>=20
> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>=20
> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
> ipcomp/tunnel/10.0.0.6-10.0.0.5/require
> esp/tunnel/10.0.0.6-10.0.0.5/require;
>=20
> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
> ipcomp/tunnel/10.0.0.5-10.0.0.6/require
> esp/tunnel/10.0.0.5-10.0.0.6/require;
> emss@gateway1:~ % more /boot/loader.conf
> ipfw_load=3D"YES"
> ipfw_nat_load=3D"YES"
>=20
> net.inet.ip.fw.default_to_accept=3D"1"
I'm curious to learn whether this is sufficient. I haven't tested any
combination of NAT and IPsec.
Regards,
John
--I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJTGTNxAAoJEBRzAKlhyP/FrsQIAL/4JxnWThM2C/U9+X6aH6En
OmacOCP0Rq6rdYpa0qqtgnz49V4o7qMbSjYMKxBHGRPwlYpUKgdBlmkqpx1jtiJo
CHM1mNJP5pu3yfzo74r1QrHdRIpsgGlXl0jRU00uG6YjYfdI3zjx0UWaN7qy9xbQ
U5QjIvX3rzHUyTpGIlShCB2XJs0aT9a1W8fbJfYKf1CLdij93CYE7Bck9xT31fzy
YYmSZUdBDh5nvOlfzXq8Hp4AOzPsfyBEZlpWGXEhgm/cbQDeAxY/cnrn2fDPgI0t
fiwQ0Nrqm6WVOSx+j1o1nB7qm74V73C8qlo6qfYgaY6A2n3TgAE6ZG2WKAV2jDQ=
=T34V
-----END PGP SIGNATURE-----
--I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53193371.4090603>