Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 02 Dec 2016 15:04:38 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 215006] [ipsec] Unable to use pf RDR on enc0 in transport mode
Message-ID:  <bug-215006-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215006

            Bug ID: 215006
           Summary: [ipsec] Unable to use pf RDR on enc0 in transport mode
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: jeromecharles.lallemand@gmail.com
                CC: bapt@FreeBSD.org

I'm trying to nat packet incoming from enc0 to an other machine.

The RDR statement in pf works for the incoming packet, but the reply from t=
he
other machine is forwarded back to the issuer without encryption.

It might be because of the state matching on the reply, witch send back the
reply bypassing the SPD rules.

This is working flawlessly with encryption.

I=E2=80=99m in a gateway setup, is there any chances to get the RDR working=
 with ipsec
in transport mode ?


Computer1 em0 | ----->IPSEC-----> | em0 Computer2 em1 | -----> | em0 Comput=
er3
|
        10.11.1.3               172.31.0.1     10.56.1.10    10.56.1.224


Here is my setup :

ifconfig
em0 : 172.31.0.1/24
em1 : 10.56.1.10/24

pf.conf :
rdr on enc0 inet from 10.11.0.0/16 to 172.31.0.1 tag "balance-1" -> 10.56.1=
.224
pass all

setkey.conf :
add -4 10.11.1.3 172.31.0.1 esp 0x100 -m transport -E rijndael-cbc "This is
secret AES 256 bits key!" -A hmac-sha2-256 "This is secret HMAC 256 bits ke=
y";
add -4 172.31.0.1 10.11.1.3 esp 0x101 -m transport -E rijndael-cbc "This is
secret AES 256 bits key!" -A hmac-sha2-256 "This is secret HMAC 256 bits ke=
y";

spdadd 10.11.1.3 172.31.0.1 any -P in ipsec esp/transport//require;
spdadd 172.31.0.1 10.11.1.3 any -P out ipsec esp/transport//require;


Results:
ping -W1 -c1 -S 10.11.1.3 172.31.0.1
PING 172.31.0.1 (172.31.0.1) from 10.11.1.3: 56 data bytes

tcpdump -ni em0
11:43:31.276852 IP 10.11.1.3 > 172.31.0.1: ESP(spi=3D0x00000100,seq=3D0x16)=
, length
120
11:43:31.277594 IP 172.31.0.1 > 10.11.1.3: ICMP echo reply, id 49496, seq 0,
length 64

Thank you for your help.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-215006-8>