From owner-freebsd-net@freebsd.org  Tue Jul 25 14:05:36 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 286A5C7D24E
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 25 Jul 2017 14:05:36 +0000 (UTC)
 (envelope-from m.muenz@spam-fetish.org)
Received: from mailout-02.maxonline.de (mailout-02.maxonline.de [81.24.66.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D37427C9E6
 for <freebsd-net@freebsd.org>; Tue, 25 Jul 2017 14:05:35 +0000 (UTC)
 (envelope-from m.muenz@spam-fetish.org)
Received: from web03-01.max-it.de (web03-01.max-it.de [81.24.64.215])
 by mailout-02.maxonline.de (Postfix) with ESMTPS id A6A914A;
 Tue, 25 Jul 2017 16:05:33 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by web03-01.max-it.de (Postfix) with ESMTP id 9DA4F28B849;
 Tue, 25 Jul 2017 16:05:33 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at web03-01.max-it.de
Received: from web03-01.max-it.de ([127.0.0.1])
 by localhost (web03-01.max-it.de [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id C4EwptdRPskt; Tue, 25 Jul 2017 16:05:33 +0200 (CEST)
Received: from [81.24.66.132] (unknown [81.24.66.132])
 (Authenticated sender: m.muenz@spam-fetish.org)
 by web03-01.max-it.de (Postfix) with ESMTPA id 576D928B847;
 Tue, 25 Jul 2017 16:05:33 +0200 (CEST)
Subject: Re: NAT before IPSEC - reply packets stuck at enc0
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, freebsd-net@freebsd.org
References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org>
 <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org>
 <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru>
 <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org>
 <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru>
 <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org>
 <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru>
 <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org>
 <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru>
 <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org>
 <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru>
 <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org>
 <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru>
 <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org>
 <5dfdfbb3-1046-5abe-b23a-b62c215b5d08@yandex.ru>
 <ada882bb-7344-49c5-0e47-e1432f27f1c9@spam-fetish.org>
 <860b48aa-b99e-7b71-3724-587ee0a7fe80@spam-fetish.org>
 <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru>
From: "Muenz, Michael" <m.muenz@spam-fetish.org>
Message-ID: <0bbf5bb9-8089-f9ce-3b1d-e9bcbdbc6c76@spam-fetish.org>
Date: Tue, 25 Jul 2017 16:06:37 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1b831b84-1d3f-38cb-acee-07a339315417@yandex.ru>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 14:05:36 -0000

Am 25.07.2017 um 15:04 schrieb Andrey V. Elsukov:
> On 25.07.2017 15:17, Muenz, Michael wrote:
>>>> * 10.26.2.N sends ICMP request to 10.24.66.25
>>>>
>>>> * 10.26.1.1 handles it by tunnel mode IPsec security policy,
>>>> something like:
>>>>      spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \
>>>>          esp/tunnel/213.244.192.191-81.24.74.3/require;
>>>> * IPsec code does lookup for IPsec SA and uses something like:
>>>>      add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...;
>>> Thanks for the detailed explaination! I only know the insights with
>>> Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0
>>> to 10.24.66.0.
>>> So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done
>>> before getting to the IPSEC process.
>>> In Linux a packet not matching a SA would simply be dropped by kernel
>>> or throw a "NO PROPOSAL CHOSEN" since there's no known SA for
>>> 10.26.2.0 to 10.24.66.0.
> As I said already, the NAT thinks that both packets are inbound and does
> translation for source address each time. You need to do translation for
> both directions on enc0 interface like I described, or you need to
> somehow hack/modify ipfw_nat.
>
> You do not need to create SA for 10.26.2.0->10.24.66.0, you only need
> create security policy, that will "route" such packets into the IPsec
> tunnel. The translation will be done inside IPsec before IP
> encapsulation and encryption. Since you are using tunnel mode IPsec,
> replies will be returned to your external IP address, and this SA is
> exists already. After decryption and IP decapsulation the destination
> address of packet will be translated back to 10.26.2.N on if_enc(4).

Can I use this spdadd command also when using strongswan? (Please excuse 
stupid questions)

>
>> 14:02:53.960436 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0,
>> ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28, bad
>> cksum b07 (->c07)!)
>>      10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8
>              ^^^ - this address must be 10.26.2.N, and it will be
> translated on "out xmit enc0".
>
>> 14:02:53.960460 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0,
>> ttl 64, id 32607, offset 0, flags [none], proto IPIP (4), length 48, bad
>> cksum 0 (->c99b)!)
>>      213.244.192.191 > 81.24.74.3: IP (tos 0x0, ttl 63, id 6287, offset
>> 0, flags [none], proto ICMP (1), length 28)
>>      10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8
>              ^^^ - and here it will become 10.26.1.1 after translation.
>
>> 14:02:53.968634 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0,
>> ttl 58, id 18352, offset 0, flags [none], proto IPIP (4), length 48)
>>      81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 38328, offset
>> 0, flags [none], proto ICMP (1), length 28)
>>      10.24.66.25 > 10.26.1.1: ICMP echo reply, id 38600, seq 0, length 8
>                           ^^^ - here your gateway receives the reply and
> will do IP decapsulaton.
>
>> 14:02:53.968653 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0,
>> ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28)
>>      10.26.1.1 > 10.26.1.1: ICMP echo reply, id 44919, seq 0, length 8
>        ^^^ - here packet will be translated back on "in recv enc0" and
> will have the following addresses: 10.24.66.25 > 10.26.2.N
>
>> So the most specific nat rule in order to get the packet into enc0 is:
>>
>> ipfw nat 1 config ip 10.26.1.1 log reverse
>> ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 in recv
>> vtnet1
>> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
> ipfw nat 1 config ip 10.26.1.1 log
> ipfw add 179 nat 1 all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0
> ipfw add 179 nat 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
>

Ok so your 3 nat commands will only match when there's a new spd like 
above right?
Since there's nothing on enc0 without it.

Thanks
Michael