From owner-freebsd-net@freebsd.org Wed Jul 19 08:20:25 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2E98C09550 for ; Wed, 19 Jul 2017 08:20:25 +0000 (UTC) (envelope-from farrokhi@FreeBSD.org) Received: from mail.farrokhi.net (mail.farrokhi.net [79.127.49.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FE9970C1E for ; Wed, 19 Jul 2017 08:20:25 +0000 (UTC) (envelope-from farrokhi@FreeBSD.org) Received: from [192.168.0.105] (unknown [79.127.49.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: freebsd@farrokhi.net) by mail.farrokhi.net (Postfix) with ESMTPSA id 4AE95468A9; Wed, 19 Jul 2017 12:50:16 +0430 (IRDT) From: "Babak Farrokhi" To: "Muenz, Michael" Cc: freebsd-net@freebsd.org Subject: Re: NAT before IPSEC - reply packets stuck at enc0 Date: Wed, 19 Jul 2017 12:50:13 +0430 Message-ID: <3FF6D693-8D3A-44C8-8085-03E1734739D2@FreeBSD.org> In-Reply-To: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> References: <459d59f7-2895-8aed-d547-be46a0fbb918@spam-fetish.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Mailer: MailMate (1.9.7r5394) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:20:26 -0000 This is an OpenPGP/MIME signed message (RFC 3156 and 4880). --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Could this be incidentally related to this PR? [1] [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220217 On 19 Jul 2017, at 12:23, Muenz, Michael wrote: > Hi, > > seems this is a rather old topic but I want to check if there's perhap= s some progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT be= fore IPSEC. > > Some old discussions: > https://forum.pfsense.org/index.php?topic=3D49800.msg265106#msg265106 > http://undeadly.org/cgi?action=3Darticle&sid=3D20090127205841 > https://github.com/opnsense/core/issues/440 > > What I want to achieve is: > > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet = (10.26.2.0/24) on Site-A: > > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B= -- 10.24.66.0 > > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a= IP for 10.24.1.0 before it hits VPN. > > My approach was: > > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 > > So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (L= AN IP Firewall-A). > > This works just fine and I see the replies in enc0: > 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 = > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 > 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.1= 08 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 > > Sadly nothing else happens. My thought was it's just some kinde of stat= e-tracking so I played around with all kinds of sysctl values, but nothin= g helps. > > Is there really no way to achieve a setup like this? > > Thanks, > Michael > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_= Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQJ8BAEBCABmBQJZbxY+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGMDgxNUY4ODYxQkYyREVBRjI2MUU5QzE2 QjI2N0FEODVENjMyRTlBAAoJEGsmethdYy6avvcP/jhwMO96L1DYt+FKsTnrdB9h rWoichsC9MqNfh/Bj7VulOGod/rMXFJ5ohxt4GSEYg2V0xxFUOXF31zoKHUsXpdQ TKWOGMpYcIwW+xaz3MSruNxuEBTyLFQZiw8J0DWyr+XOBMbAgzYd2j4/KK54VvMI i+Ha/Wnmr/OZmyUEWin5dJN8PCOszqfe9pjKYuLPGW/mugKgB6zqaO458b3Y0Dp2 xaj+kJ9nNEftmb7HpyWMNiPdL4KF4z3+VhvvPU1yU2U0CxwWuq6UK5gwz7KAJCGi KqdYTvRBgdBQW/S7KQ2amFRF/Jevh7oFCjbjm3yRG/GlvCzv2CvWTZuU9ZzuqhD1 gxQoMPbMV06jMOE69on+c+BemkmND/sCTlUFdnL3HA8oNs/tWJ9UG9ikTgpxE9LS LoFceYPqxGf5nykmcU/PumuEpK8bD+Yi+/QVC4tNqvbYazchFHUisWbptb6xH677 pTZ6+f6QyGBu2mWfz6dheJDqcCco1BXtHr8C8++nAQooJNjBfiwuYkhfBZII5DcF paQjifxrHRmONJnosyJ3FyonHmjLZQXvUtpgunBAq3x3ixhjsmK0XnK2JiuxWDLC e+oaxshiwfsfsbnkX0N/qSqyNBHuIITpOadUEd7mTc8vlHHe7CnhI8rEcappQMJ+ PwsWlnESUt5zJOXhPmXv =+whS -----END PGP SIGNATURE----- --=_MailMate_8CC43E66-937A-449C-AEC9-9E5C0458A2FF_=--