Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 7 Mar 2014 07:55:22 +0100
From:      Philipp Schmid <philipp.schmid@openresearch.com>
To:        "John W. O'Brien" <john@saltant.com>
Cc:        Eric Masson <emss@free.fr>, Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
Subject:   Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated
Message-ID:  <09B6BE02-2F04-41A1-AC0D-9A7943F88086@openresearch.com>
In-Reply-To: <53193371.4090603@saltant.com>
References:  <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> <53193371.4090603@saltant.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Eric,

FreeBSD 10 seems to have problems with IPSec and filtering/nat.
Maybe your problem is related to:

	http://www.freebsd.org/cgi/query-pr.cgi?pr=185876

- Philipp


On 07 Mar 2014, at 03:48, John W. O'Brien <john@saltant.com> wrote:

> Hi Eric,
> 
> On 1/25/14 10:28 AM, Eric Masson wrote:
>> Hi,
>> 
>> I've setup a lab to experiment nat before ipsec scenario.
>> Architecture :
>> - 3 host only interfaces have been set up on the host
>> - 4 FreeBSD10 guests have been set up :
>>  - 2 clients connected to their respective gateways via dedicated host
>>    only interfaces.
>>  - 2 gateways connected together via dedicated host only interface
> 
> Trimming configs for clarity
> 
>> Gateway 1 setup :
>> <----------------------------------------------------------------->
>> emss@gateway1:~ % more /etc/rc.conf
>> hostname="gateway1"
>> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
>> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
>> gateway_enable="YES"
>> ipsec_enable="YES"
>> ipsec_file="/etc/ipsec.conf"
>> firewall_enable="YES"
>> firewall_script="/etc/ipfw.rules"
>> firewall_logging="YES"
>> emss@gateway1:~ % more /etc/ipfw.rules
>> #!/bin/sh
>> cmd="/sbin/ipfw"
>> $cmd -f flush
>> $cmd    add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
> 
> You also need to perform NAT processing on the traffic that returns to
> gateway1 from gateway2.
> 
>    $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1
> 
>> $cmd    nat 100 config log ip 172.16.0.1 reverse
>> emss@gateway1:~ % more /etc/ipsec.conf
>> flush;
>> spdflush;
>> 
>> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
>> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
>> 
>> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
>> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>> 
>> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
>>  ipcomp/tunnel/10.0.0.6-10.0.0.5/require
>>  esp/tunnel/10.0.0.6-10.0.0.5/require;
>> 
>> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
>>  ipcomp/tunnel/10.0.0.5-10.0.0.6/require
>>  esp/tunnel/10.0.0.5-10.0.0.6/require;
>> emss@gateway1:~ % more /boot/loader.conf
>> ipfw_load="YES"
>> ipfw_nat_load="YES"
>> 
>> net.inet.ip.fw.default_to_accept="1"
> 
> I'm curious to learn whether this is sufficient. I haven't tested any
> combination of NAT and IPsec.
> 
> Regards,
> John
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?09B6BE02-2F04-41A1-AC0D-9A7943F88086>