Date: Wed, 19 Jul 2017 09:53:51 +0200 From: "Muenz, Michael" <m.muenz@spam-fetish.org> To: freebsd-net@freebsd.org Subject: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org>
next in thread | raw e-mail | index | archive | help
Hi, seems this is a rather old topic but I want to check if there's perhaps some progress or chance to get this done. I'm using OPNsense based on FreeBSD11 and there's a problem with NAT before IPSEC. Some old discussions: https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106 http://undeadly.org/cgi?action=article&sid=20090127205841 https://github.com/opnsense/core/issues/440 What I want to achieve is: IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works Peer at Site-B cannont be changed anymore, but there's a second subnet (10.26.2.0/24) on Site-A: 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B -- 10.24.66.0 If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a IP for 10.24.1.0 before it hits VPN. My approach was: kldload ipfw_nat.ko ipfw nat 1 config ip 10.26.1.1 log reverse ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (LAN IP Firewall-A). This works just fine and I see the replies in enc0: 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.108 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 Sadly nothing else happens. My thought was it's just some kinde of state-tracking so I played around with all kinds of sysctl values, but nothing helps. Is there really no way to achieve a setup like this? Thanks, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459d59f7-2895-8aed-d547-be46a0fbb918>