Date: Fri, 7 Mar 2014 07:55:22 +0100 From: Philipp Schmid <philipp.schmid@openresearch.com> To: "John W. O'Brien" <john@saltant.com> Cc: Eric Masson <emss@free.fr>, Mailing List FreeBSD Network <freebsd-net@FreeBSD.org> Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated Message-ID: <09B6BE02-2F04-41A1-AC0D-9A7943F88086@openresearch.com> In-Reply-To: <53193371.4090603@saltant.com> References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> <53193371.4090603@saltant.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Eric, FreeBSD 10 seems to have problems with IPSec and filtering/nat. Maybe your problem is related to: http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 - Philipp On 07 Mar 2014, at 03:48, John W. O'Brien <john@saltant.com> wrote: > Hi Eric, > > On 1/25/14 10:28 AM, Eric Masson wrote: >> Hi, >> >> I've setup a lab to experiment nat before ipsec scenario. >> Architecture : >> - 3 host only interfaces have been set up on the host >> - 4 FreeBSD10 guests have been set up : >> - 2 clients connected to their respective gateways via dedicated host >> only interfaces. >> - 2 gateways connected together via dedicated host only interface > > Trimming configs for clarity > >> Gateway 1 setup : >> <-----------------------------------------------------------------> >> emss@gateway1:~ % more /etc/rc.conf >> hostname="gateway1" >> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0" >> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0" >> gateway_enable="YES" >> ipsec_enable="YES" >> ipsec_file="/etc/ipsec.conf" >> firewall_enable="YES" >> firewall_script="/etc/ipfw.rules" >> firewall_logging="YES" >> emss@gateway1:~ % more /etc/ipfw.rules >> #!/bin/sh >> cmd="/sbin/ipfw" >> $cmd -f flush >> $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24 > > You also need to perform NAT processing on the traffic that returns to > gateway1 from gateway2. > > $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1 > >> $cmd nat 100 config log ip 172.16.0.1 reverse >> emss@gateway1:~ % more /etc/ipsec.conf >> flush; >> spdflush; >> >> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234"; >> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321"; >> >> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate; >> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate; >> >> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec >> ipcomp/tunnel/10.0.0.6-10.0.0.5/require >> esp/tunnel/10.0.0.6-10.0.0.5/require; >> >> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec >> ipcomp/tunnel/10.0.0.5-10.0.0.6/require >> esp/tunnel/10.0.0.5-10.0.0.6/require; >> emss@gateway1:~ % more /boot/loader.conf >> ipfw_load="YES" >> ipfw_nat_load="YES" >> >> net.inet.ip.fw.default_to_accept="1" > > I'm curious to learn whether this is sufficient. I haven't tested any > combination of NAT and IPsec. > > Regards, > John >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09B6BE02-2F04-41A1-AC0D-9A7943F88086>