Date: Tue, 25 Jul 2017 09:36:50 +0200 From: "Muenz, Michael" <m.muenz@spam-fetish.org> To: freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <f4c5a11c-a329-d746-ece8-e3752a6c82ea@spam-fetish.org> In-Reply-To: <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> <a082662c-145e-0132-18ef-083adaa59c33@yandex.ru> <1c0de616-91ff-a6f9-d946-f098bc1a709f@spam-fetish.org> <911903d1-f353-d5d6-d400-d86150f88136@yandex.ru> <2d607e1a-a2c0-0f85-1530-c478962a76cd@spam-fetish.org> <3344e189-cdf0-a2c9-3a2a-645460866f2d@yandex.ru> <1279753e-9ad1-2c02-304e-5001e2bbc82f@spam-fetish.org> <15e6eb38-ef0c-7bfd-5f2c-d2acc8ea1af4@yandex.ru> <cdb7e172-4074-4559-1e91-90c8e9276134@spam-fetish.org> <63e80fcf-915e-2dd5-d8c9-1904c8261c6f@yandex.ru> <1c91cd8f-105d-e886-3126-67505c6c3900@spam-fetish.org> <c738380c-e0cc-2d32-934e-a05502887b93@yandex.ru> <1e889acf-49d1-b70f-7097-82e6e4dfabb6@spam-fetish.org> <454ed1b7-a80f-b096-cfa1-3c32d1e60f7d@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 24.07.2017 um 19:01 schrieb Andrey V. Elsukov:
>
> .1.1: ICMP echo reply, id 33347, seq 28416, length 8
> This does not match with what I expected to see. The reply here should
> be something like "10.24.66.25 > 10.26.2.N: ICMP echo reply".
>
> It seems the problem is with ipfw_nat, that for both directions thinks
> that packets are inbound and this leads to incorrect translation.
>
> Can you modify your IPsec security policies, so outgoing packets from
> 10.26.2.0/24 will go through the same tunnel? Then you need to modify
> nat rule:
>
> ipfw nat 1 config ip 10.26.1.1
> ipfw add 179 nat 1 log ip from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0
> ipfw add 179 nat 1 log ip from 10.24.66.0/24 to 10.26.1.1 in recv enc0
>
Hi,
when I change it to
out xmit enc0
nothing happens because the packets have to math the IPSEC SA before
entering the tunnel (and enc0 I guess).
So it has to be
in recv vtnet1
to be more precise, but then it's the same result:
09:29:11.092932 (authentic,confidential): SPI 0x2478d746: IP (tos 0x0,
ttl 63, id 54367, offset 0, flags [none], proto ICMP (1), length 28, bad
cksum 4f36 (->5036)!)
10.26.1.1 > 10.24.66.25: ICMP echo request, id 48914, seq 34304,
length 8
09:29:11.101524 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0,
ttl 58, id 51185, offset 0, flags [none], proto IPIP (4), length 48)
81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 5299, offset
0, flags [none], proto ICMP (1), length 28)
10.24.66.25 > 10.26.1.1: ICMP echo reply, id 48914, seq 34304, length 8
09:29:11.101535 (authentic,confidential): SPI 0xce702ac1: IP (tos 0x0,
ttl 63, id 5299, offset 0, flags [none], proto ICMP (1), length 28)
10.26.1.1 > 10.26.1.1: ICMP echo reply, id 33409, seq 34304, length 8
Thanks,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f4c5a11c-a329-d746-ece8-e3752a6c82ea>