From owner-freebsd-net@FreeBSD.ORG  Fri Mar  7 06:55:36 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4168DAB4
 for <freebsd-net@FreeBSD.org>; Fri,  7 Mar 2014 06:55:36 +0000 (UTC)
Received: from mail.schmidp.com (mail.schmidp.com [IPv6:2a01:4f8:120:4ffe::9])
 by mx1.freebsd.org (Postfix) with ESMTP id DF36532F
 for <freebsd-net@FreeBSD.org>; Fri,  7 Mar 2014 06:55:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by mail.schmidp.com (Postfix) with ESMTP id 0DD485802CD;
 Fri,  7 Mar 2014 08:01:36 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.schmidp.com
Received: from mail.schmidp.com ([127.0.0.1])
 by localhost (dna.schmidp.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id m8GzGYvjzTSt; Fri,  7 Mar 2014 08:01:32 +0100 (CET)
Received: from charlie.lan (chello213047013064.west2.11.vie.surfer.at
 [213.47.13.64])
 by mail.schmidp.com (Postfix) with ESMTPSA id B349C58016C;
 Fri,  7 Mar 2014 08:01:31 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated
From: Philipp Schmid <philipp.schmid@openresearch.com>
In-Reply-To: <53193371.4090603@saltant.com>
Date: Fri, 7 Mar 2014 07:55:22 +0100
Message-Id: <09B6BE02-2F04-41A1-AC0D-9A7943F88086@openresearch.com>
References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org>
 <53193371.4090603@saltant.com>
To: "John W. O'Brien" <john@saltant.com>
X-Mailer: Apple Mail (2.1874)
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: Eric Masson <emss@free.fr>,
 Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 06:55:36 -0000

Hi Eric,

FreeBSD 10 seems to have problems with IPSec and filtering/nat.
Maybe your problem is related to:

	http://www.freebsd.org/cgi/query-pr.cgi?pr=185876

- Philipp


On 07 Mar 2014, at 03:48, John W. O'Brien <john@saltant.com> wrote:

> Hi Eric,
> 
> On 1/25/14 10:28 AM, Eric Masson wrote:
>> Hi,
>> 
>> I've setup a lab to experiment nat before ipsec scenario.
>> Architecture :
>> - 3 host only interfaces have been set up on the host
>> - 4 FreeBSD10 guests have been set up :
>>  - 2 clients connected to their respective gateways via dedicated host
>>    only interfaces.
>>  - 2 gateways connected together via dedicated host only interface
> 
> Trimming configs for clarity
> 
>> Gateway 1 setup :
>> <----------------------------------------------------------------->
>> emss@gateway1:~ % more /etc/rc.conf
>> hostname="gateway1"
>> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
>> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
>> gateway_enable="YES"
>> ipsec_enable="YES"
>> ipsec_file="/etc/ipsec.conf"
>> firewall_enable="YES"
>> firewall_script="/etc/ipfw.rules"
>> firewall_logging="YES"
>> emss@gateway1:~ % more /etc/ipfw.rules
>> #!/bin/sh
>> cmd="/sbin/ipfw"
>> $cmd -f flush
>> $cmd    add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
> 
> You also need to perform NAT processing on the traffic that returns to
> gateway1 from gateway2.
> 
>    $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1
> 
>> $cmd    nat 100 config log ip 172.16.0.1 reverse
>> emss@gateway1:~ % more /etc/ipsec.conf
>> flush;
>> spdflush;
>> 
>> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
>> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
>> 
>> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
>> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>> 
>> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
>>  ipcomp/tunnel/10.0.0.6-10.0.0.5/require
>>  esp/tunnel/10.0.0.6-10.0.0.5/require;
>> 
>> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
>>  ipcomp/tunnel/10.0.0.5-10.0.0.6/require
>>  esp/tunnel/10.0.0.5-10.0.0.6/require;
>> emss@gateway1:~ % more /boot/loader.conf
>> ipfw_load="YES"
>> ipfw_nat_load="YES"
>> 
>> net.inet.ip.fw.default_to_accept="1"
> 
> I'm curious to learn whether this is sufficient. I haven't tested any
> combination of NAT and IPsec.
> 
> Regards,
> John
>