Date: Wed, 19 Jul 2017 13:12:41 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> In-Reply-To: <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i Content-Type: multipart/mixed; boundary="Oxes3KsjRvRhTVE90hXJpLbCMEhJBsmtG"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Message-ID: <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> In-Reply-To: <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> --Oxes3KsjRvRhTVE90hXJpLbCMEhJBsmtG Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 12:27, Muenz, Michael wrote: > Am 19.07.2017 um 10:32 schrieb Andrey V. Elsukov: >> >> What about reverse NAT rule? You need to translate decrypted packets >> back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address= >> as final destination and will not be forwarded to 10.26.2.0. >> >=20 > Hi Andrey, >=20 > I'm not really familiar with ipfw syntax, I'm more the linux guy and > there the state you be tracked. > How should I build the rules to do the reverse nat? I'm googling for 2 > days now but I only found port redirects for this. Try to add the following rule: ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 This rule will pass a decrypted packet to the NAT instance, that will check in the states table should a packet be translated back or not. You need to have enc0 interface in UP state and sysctl variable net.enc.in.ipsec_filter_mask should be set to 1 or 2. After translation on the enc0 a packet will be returned to the IPsec subsystem, that will queue it for further processing in the netisr. Since destination address become foreign, it will be forwarded by IP stac= k. --=20 WBR, Andrey V. Elsukov --Oxes3KsjRvRhTVE90hXJpLbCMEhJBsmtG-- --MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvMJkACgkQAcXqBBDI oXrugAgAsSTMUy6WTRfjz/6mvXPmPaSHF2mDMqA9k2O0bZozkBWNtE/y8BwrI3Nh RF2egr8M4roVP+QGDmEfQZpiQqrWRXZs87h7du7uD9LSDsLeoXUhAWQJ08fVczbI B+UGq4UeffepowLaaMRYoxDzbXu7LNZyof8klpUNZCIMbrwq/i1LD6bJWuJ1AK9Q pUYa0CIgTxsLMAFXUJ7GSir5cu0dhYSNa8qytPsqQwsJe0bzbkTKHFs/3JUW4Tf7 yqgZp27sAvJUaR2f2OoYullZqUyNbe8feyfA1hICd2PzNhnGYMo09RujORGzb7Io Xdx1mzkdrQytGnWc/W/ZAYn04/asYw== =LHSM -----END PGP SIGNATURE----- --MDVVm9drIiXO1HjpGLti5FCXau9o8kk7i--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?911903d1-f353-d5d6-d400-d86150f88136>