Date: Wed, 19 Jul 2017 12:50:13 +0430 From: "Babak Farrokhi" <farrokhi@FreeBSD.org> To: "Muenz, Michael" <m.muenz@spam-fetish.org> Cc: freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Message-ID: <3FF6D693-8D3A-44C8-8085-03E1734739D2@FreeBSD.org> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 3156 and 4880). --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Could this be incidentally related to this PR? [1] [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220217 On 19 Jul 2017, at 12:23, Muenz, Michael wrote: > Hi, > > seems this is a rather old topic but I want to check if there's perhap= s some progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT be= fore IPSEC. > > Some old discussions: > https://forum.pfsense.org/index.php?topic=3D49800.msg265106#msg265106 > http://undeadly.org/cgi?action=3Darticle&sid=3D20090127205841 > https://github.com/opnsense/core/issues/440 > > What I want to achieve is: > > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet = (10.26.2.0/24) on Site-A: > > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B= -- 10.24.66.0 > > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a= IP for 10.24.1.0 before it hits VPN. > > My approach was: > > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 > > So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (L= AN IP Firewall-A). > > This works just fine and I see the replies in enc0: > 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 = > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 > 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.1= 08 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 > > Sadly nothing else happens. My thought was it's just some kinde of stat= e-tracking so I played around with all kinds of sysctl values, but nothin= g helps. > > Is there really no way to achieve a setup like this? > > Thanks, > Michael > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_= Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQJ8BAEBCABmBQJZbxY+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGMDgxNUY4ODYxQkYyREVBRjI2MUU5QzE2 QjI2N0FEODVENjMyRTlBAAoJEGsmethdYy6avvcP/jhwMO96L1DYt+FKsTnrdB9h rWoichsC9MqNfh/Bj7VulOGod/rMXFJ5ohxt4GSEYg2V0xxFUOXF31zoKHUsXpdQ TKWOGMpYcIwW+xaz3MSruNxuEBTyLFQZiw8J0DWyr+XOBMbAgzYd2j4/KK54VvMI i+Ha/Wnmr/OZmyUEWin5dJN8PCOszqfe9pjKYuLPGW/mugKgB6zqaO458b3Y0Dp2 xaj+kJ9nNEftmb7HpyWMNiPdL4KF4z3+VhvvPU1yU2U0CxwWuq6UK5gwz7KAJCGi KqdYTvRBgdBQW/S7KQ2amFRF/Jevh7oFCjbjm3yRG/GlvCzv2CvWTZuU9ZzuqhD1 gxQoMPbMV06jMOE69on+c+BemkmND/sCTlUFdnL3HA8oNs/tWJ9UG9ikTgpxE9LS LoFceYPqxGf5nykmcU/PumuEpK8bD+Yi+/QVC4tNqvbYazchFHUisWbptb6xH677 pTZ6+f6QyGBu2mWfz6dheJDqcCco1BXtHr8C8++nAQooJNjBfiwuYkhfBZII5DcF paQjifxrHRmONJnosyJ3FyonHmjLZQXvUtpgunBAq3x3ixhjsmK0XnK2JiuxWDLC e+oaxshiwfsfsbnkX0N/qSqyNBHuIITpOadUEd7mTc8vlHHe7CnhI8rEcappQMJ+ PwsWlnESUt5zJOXhPmXv =+whS -----END PGP SIGNATURE----- --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FF6D693-8D3A-44C8-8085-03E1734739D2>