From owner-freebsd-ipfw@FreeBSD.ORG  Thu Aug  4 05:43:34 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8396B106567A
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Aug 2011 05:43:34 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id 021B68FC18
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Aug 2011 05:43:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p745MdLm073215;
	Thu, 4 Aug 2011 15:22:39 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Thu, 4 Aug 2011 15:22:38 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Zeus V Panchenko <zeus@ibs.dn.ua>
In-Reply-To: <20110803200113.GC6930@relay.ibs.dn.ua>
Message-ID: <20110804145842.E42715@sola.nimnet.asn.au>
References: <20110803200113.GC6930@relay.ibs.dn.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-ipfw@freebsd.org
Subject: Re: weird results while ipsec + ipfv_nat (nat before vpn)
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 05:43:34 -0000

On Wed, 3 Aug 2011, Zeus V Panchenko wrote:

[..]

I can't comment on your ipsec setup at all, but:

 > > cat /etc/ipfw.conf
 > ...
 > 
 > add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
 > add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
 > add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
 > add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x
 > 
 > add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
 > nat 100 config log if bge1 ip b.b.b.1 reverse

Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe 
that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both.

 > so, ipsec and ipfw_nat out works, but where are reply packets 
 > disappearing to after coming to gif0 interface? why no backward 
 > divert occures?

Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and 
maybe 'ipfw show' to check that all your other rules match ipfw.conf

cheers, Ian