Date: Sat, 25 Jan 2014 16:28:10 +0100 From: Eric Masson <emss@free.fr> To: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org> Subject: [FreeBSD 10.0] nat before vpn, incoming packets not translated Message-ID: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org>
next in thread | raw e-mail | index | archive | help
Hi,
I've setup a lab to experiment nat before ipsec scenario.
Architecture :
- 3 host only interfaces have been set up on the host
- 4 FreeBSD10 guests have been set up :
- 2 clients connected to their respective gateways via dedicated host
only interfaces.
- 2 gateways connected together via dedicated host only interface
Client 1 setup :
<----------------------------------------------------------------->
emss@client1:~ % more /etc/rc.conf
hostname="client1"
keymap="fr.iso.acc.kbd"
ifconfig_em0="inet 192.168.11.100 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 accept_rtadv"
defaultrouter="192.168.11.15"
sshd_enable="YES"
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
<----------------------------------------------------------------->
Gateway 1 setup :
<----------------------------------------------------------------->
emss@gateway1:~ % more /etc/rc.conf
hostname="gateway1"
keymap="fr.iso.acc.kbd"
ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
ifconfig_em1_ipv6="inet6 accept_rtadv"
ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
gateway_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
emss@gateway1:~ % more /etc/ipfw.rules
#!/bin/sh
cmd="/sbin/ipfw"
$cmd -f flush
$cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
$cmd nat 100 config log ip 172.16.0.1 reverse
emss@gateway1:~ % more /etc/ipsec.conf
flush;
spdflush;
add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
ipcomp/tunnel/10.0.0.6-10.0.0.5/require
esp/tunnel/10.0.0.6-10.0.0.5/require;
spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
ipcomp/tunnel/10.0.0.5-10.0.0.6/require
esp/tunnel/10.0.0.5-10.0.0.6/require;
emss@gateway1:~ % more /boot/loader.conf
ipfw_load="YES"
ipfw_nat_load="YES"
net.inet.ip.fw.default_to_accept="1"
<----------------------------------------------------------------->
Gateway 2 setup :
<----------------------------------------------------------------->
emss@gateway2:~ % more /etc/rc.conf
hostname="gateway2"
keymap="fr.iso.acc.kbd"
ifconfig_em1="inet 10.0.0.6 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.21.15 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 accept_rtadv"
gateway_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
emss@gateway2:~ % more /etc/ipsec.conf
flush;
spdflush;
add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
spdadd 192.168.21.0/24 172.16.0.1/32 any -P out ipsec
ipcomp/tunnel/10.0.0.6-10.0.0.5/require
esp/tunnel/10.0.0.6-10.0.0.5/require;
spdadd 172.16.0.1/32 192.168.21.0/24 any -P in ipsec
ipcomp/tunnel/10.0.0.5-10.0.0.6/require
esp/tunnel/10.0.0.5-10.0.0.6/require;
<----------------------------------------------------------------->
Client 2 setup :
<----------------------------------------------------------------->
emss@client2:~ % more /etc/rc.conf
hostname="client2"
keymap="fr.iso.acc.kbd"
ifconfig_em0="inet 192.168.21.100 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 accept_rtadv"
defaultrouter="192.168.21.15"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
<----------------------------------------------------------------->
Test setup by pinging client2 from client1 :
On client1 :
emss@client1:~ % ping 192.168.21.100
PING 192.168.21.100 (192.168.21.100): 56 data bytes
On gateway1 inside interface :
root@gateway1:~ # tcpdump -i em1
17:16:08.600154 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 10499, seq 7207, length 64
17:16:08.600660 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 59651, seq 213, length 64
...
On gateway1 outside interface :
root@gateway1:~ # tcpdump -i em0
17:16:48.501317 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed4), length 128
17:16:48.501612 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed5), length 128
17:16:48.502665 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e67), length 128
17:16:48.502938 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e68), length 128
...
On client2 :
root@client2:~ # tcpdump -i em0
17:14:17.671181 IP 172.16.0.1 > 192.168.21.100: ICMP echo request, id 59651, seq 107, length 64
17:14:17.671230 IP 192.168.21.100 > 172.16.0.1: ICMP echo reply, id 59651, seq 107, length 64
...
So, the only remaining issue is that gateway1 doesn't nat back ipsec
decapsulated packets (if no nat in scenario, everything works fine).
Setting net.inet.ip.fw.one_pass to 0 doesn't change anything.
Any idea, please ?
Regards
Éric Masson
--
R: >>gruik! gruik! jâðaaaaadooooore les incon*gruik*tés! :P
¯¯¯ ¯¯
c'est pas bien mon RoDouDou! tu t'obstines avec ton unicode incomplet!
-+-I in <http://www.le-gnu.net>; : Unicode toujours, tu m'interresse -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868uu4rshh.fsf>