Date: Mon, 10 Oct 2022 09:04:34 +0200 From: infoomatic <infoomatic@gmx.at> To: freebsd-pf@FreeBSD.org Subject: PF: nat on ipsec Message-ID: <c35f847b-60cd-fa48-66ae-66c48e3729b1@gmx.at>
next in thread | raw e-mail | index | archive | help
Hi guys, hope someone can help me with my problem trying to NAT ipsec. The setup: I use a FreeBSD host with an opnsense VM and a vnet jail. The host uses em0 with an external interface, one bridge with an ipv4 address and tap interface to connect opnsense and one bridge without ipv4 address with tap of opnsense + epair of the jail to connect those two. Opnsense is doing ipsec (strongswan) to our AWS infrastructure, the jail is simulating a client on the "LAN" interface of opnsense. NAT on the host is setup with pf and works as expected except for ipsec: so outgoing tcp/udp packets from the jail pass through opnsense, get natted and then pass the host where they again get natted. The outgoing rules on the host nat pass on em0 proto udp from 192.168.251.100 to any -> $ip_out nat pass on em0 proto tcp from 192.168.251.100 to any -> $ip_out The incoming rules redirecting ipsec traffic to opnsense rdr pass proto udp to $ip_out port 4500 -> 192.168.251.100 rdr pass proto udp to $ip_out port 500 -> 192.168.251.100 On the host, I can see that pf is not translating the packets, using tcpdump on pflog0 shows me: 00:00:08.270916 rule 22/0(match): block out on em0: 192.168.251.100.4500 > 3.123.51.34.4500: UDP-encap: ESP(spi=3D0xc1de5460,seq=3D0xa1), length 1= 272 00:00:00.000010 rule 22/0(match): block out on em0: 192.168.251.100 > 3.123.51.34: ip-proto-17 where 3.123.51.34 is the ipsec endpoint on AWS side. Every other packet outgoing from the jail shows of course the external ipv4 address, however, as you can see above, ipsec traffic does not get translated, packets try to pass the hosts em0 interface with the internal ipv4 address of opnsense "WAN" interface. I hope there is a solution I have not found to this strange problem, any advice highly appreciated. Thanks! Best regards, Robert [1] posted this + graphics already to: https://forums.freebsd.org/threads/pf-nating-ipsec.86692/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c35f847b-60cd-fa48-66ae-66c48e3729b1>