Date: Wed, 19 Jul 2017 11:32:17 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic Content-Type: multipart/mixed; boundary="7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Muenz, Michael" <m.muenz@spam-fetish.org>, freebsd-net@freebsd.org Message-ID: <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> Subject: Re: NAT before IPSEC - reply packets stuck at enc0 References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> --7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.07.2017 10:53, Muenz, Michael wrote: > Hi, >=20 > seems this is a rather old topic but I want to check if there's perhap= s > some progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT > before IPSEC. >=20 > Some old discussions: > https://forum.pfsense.org/index.php?topic=3D49800.msg265106#msg265106 > http://undeadly.org/cgi?action=3Darticle&sid=3D20090127205841 > https://github.com/opnsense/core/issues/440 >=20 > What I want to achieve is: >=20 > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet > (10.26.2.0/24) on Site-A: >=20 > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B= > -- 10.24.66.0 >=20 > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a= > IP for 10.24.1.0 before it hits VPN. >=20 > My approach was: >=20 > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 What about reverse NAT rule? You need to translate decrypted packets back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address as final destination and will not be forwarded to 10.26.2.0. --=20 WBR, Andrey V. Elsukov --7hxfLwBHuVF020ldsilNEMqwUFDOM2fkS-- --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAllvGRcACgkQAcXqBBDI oXrN4ggAv4OEZ+LabyqUaSfUJJGfgfH1dbhRfD5cmEnnguRK0DXdAiYpTfuMwK74 RICQks2acSefLR05xuUFzhT5aV3vwAr2TmXFztza8xY1WUVNzO1leUDHg4GDR6uV VctiLZOeacd4CAj7YvEtJrygJGytTe8A51c7+Psqk6ErJ15Z4StCH2DcFihHTNQA M6QUeG8+2K7ZbgZ+AMvMODbg3eDXBLwd8cZyN4D7+kdhp8ajqlDicQvNkCrmDMr+ VcbQXFHJXuU4J3Ixa5ZNshBGAQR8Z05s1hVG5xLBlJ0b+pPHW84/e0g0DTqhx26W vZCBlip9UIXsqk7lH0V1ZlcXLTZQ9Q== =kpJ9 -----END PGP SIGNATURE----- --Nl8g5bN0eaHqEfeHOEo98Ki2sCUumx1Ic--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a082662c-145e-0132-18ef-083adaa59c33>