From owner-freebsd-net@FreeBSD.ORG Fri Mar 7 02:48:23 2014 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 43A7CD16 for ; Fri, 7 Mar 2014 02:48:23 +0000 (UTC) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 1A90ED9C for ; Fri, 7 Mar 2014 02:48:22 +0000 (UTC) Received: from homiemail-a109.g.dreamhost.com (unknown [69.163.253.148]) by hapkido.dreamhost.com (Postfix) with ESMTP id 27DA2DC54E for ; Thu, 6 Mar 2014 18:33:17 -0800 (PST) Received: from homiemail-a109.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a109.g.dreamhost.com (Postfix) with ESMTP id A5CCC2005D827; Thu, 6 Mar 2014 18:48:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=saltant.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type; s=saltant.com; bh=fVZ8LbxUKzCjdO/fIhGniM7B/mU=; b= Wu8ZAsBqXEegJwzSI8tPi40W7N8JVwTaiXUVoVIlBwWrAX+5AruyxDFb+qfFaT3O eKrstDVoKfEd3EZfR6wNyhiHtodiTj6rtzZyQVr3ud0dNip1PwCSSdKMqBjyhRHa PeR8WVx7itKZL+GMOf2BmYVZjiFA4b15s6SiBPEesp4= Received: from dreck.saltant.net (dreck.saltant.net [72.78.188.150]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: john@saltant.com) by homiemail-a109.g.dreamhost.com (Postfix) with ESMTPSA id 6A9F22005D826; Thu, 6 Mar 2014 18:48:15 -0800 (PST) Message-ID: <53193371.4090603@saltant.com> Date: Thu, 06 Mar 2014 21:48:17 -0500 From: "John W. O'Brien" Organization: Saltant Solutions User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Eric Masson Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> In-Reply-To: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb" Cc: Mailing List FreeBSD Network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 02:48:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Eric, On 1/25/14 10:28 AM, Eric Masson wrote: > Hi, >=20 > I've setup a lab to experiment nat before ipsec scenario. > Architecture : > - 3 host only interfaces have been set up on the host > - 4 FreeBSD10 guests have been set up : > - 2 clients connected to their respective gateways via dedicated host= > only interfaces. > - 2 gateways connected together via dedicated host only interface Trimming configs for clarity > Gateway 1 setup : > <-----------------------------------------------------------------> > emss@gateway1:~ % more /etc/rc.conf > hostname=3D"gateway1" > ifconfig_em1=3D"inet 192.168.11.15 netmask 255.255.255.0" > ifconfig_em0=3D"inet 10.0.0.5 netmask 255.255.255.0" > gateway_enable=3D"YES" > ipsec_enable=3D"YES" > ipsec_file=3D"/etc/ipsec.conf" > firewall_enable=3D"YES" > firewall_script=3D"/etc/ipfw.rules" > firewall_logging=3D"YES" > emss@gateway1:~ % more /etc/ipfw.rules > #!/bin/sh > cmd=3D"/sbin/ipfw" > $cmd -f flush > $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24 You also need to perform NAT processing on the traffic that returns to gateway1 from gateway2. $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1 > $cmd nat 100 config log ip 172.16.0.1 reverse > emss@gateway1:~ % more /etc/ipsec.conf > flush; > spdflush; >=20 > add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"= ; > add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"= ; >=20 > add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; > add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; >=20 > spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec > ipcomp/tunnel/10.0.0.6-10.0.0.5/require > esp/tunnel/10.0.0.6-10.0.0.5/require; >=20 > spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec > ipcomp/tunnel/10.0.0.5-10.0.0.6/require > esp/tunnel/10.0.0.5-10.0.0.6/require; > emss@gateway1:~ % more /boot/loader.conf > ipfw_load=3D"YES" > ipfw_nat_load=3D"YES" >=20 > net.inet.ip.fw.default_to_accept=3D"1" I'm curious to learn whether this is sufficient. I haven't tested any combination of NAT and IPsec. Regards, John --I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJTGTNxAAoJEBRzAKlhyP/FrsQIAL/4JxnWThM2C/U9+X6aH6En OmacOCP0Rq6rdYpa0qqtgnz49V4o7qMbSjYMKxBHGRPwlYpUKgdBlmkqpx1jtiJo CHM1mNJP5pu3yfzo74r1QrHdRIpsgGlXl0jRU00uG6YjYfdI3zjx0UWaN7qy9xbQ U5QjIvX3rzHUyTpGIlShCB2XJs0aT9a1W8fbJfYKf1CLdij93CYE7Bck9xT31fzy YYmSZUdBDh5nvOlfzXq8Hp4AOzPsfyBEZlpWGXEhgm/cbQDeAxY/cnrn2fDPgI0t fiwQ0Nrqm6WVOSx+j1o1nB7qm74V73C8qlo6qfYgaY6A2n3TgAE6ZG2WKAV2jDQ= =T34V -----END PGP SIGNATURE----- --I40r9NONdAJJR9wJm29ARcJtAKvoRo7xb--