Re: PF: nat on ipsec

From: Matthew Grooms <mgrooms_at_shrew.net>
Date: Mon, 10 Oct 2022 15:51:33 UTC
On 10/10/22 10:38, infoomatic wrote:
> On 10.10.22 17:01, Matthew Grooms wrote:
>>
>> I'm not sure if I understood all the details here, but: NAT happens on
>> egress. For traffic to be processed by IPsec, your traffic must have
>> source and destination addresses that match the appropriate IPsec
>> policy. Waiting until its being sent outbound ( where NAT occurs ) is
>> usually too late.
>>
> thanks for your response. The source and destination addresses in the
> configuration are OK. Every non-ipsec packet coming from opnsense is
> translated as in the pf.conf on the host. The problem is: as soon as it
> is an ipsec packet, the host does not translate it but instead forwards
> the packet with the original private ip through the physical interface
> with the public ip address (which of course is prohibited by a rule
> further down in pf.conf). I have tried to add various nat + rdr rules
> which explicitly use various protocols from /etc/protocols e.g. "proto
> ipencap" but this does not change the behaviour. It seems like the host
> realizes it is an ipsec packet and just refuses to nat that packet.
>
>
> Out of curiosity I ordered another hardware host where I installed
> Linux, created a VM with opnsense (with the same config, the only
> adaption was the public ip-address in the ipsec configuration) and a
> client on opnsense's LAN interface. I used iptables and it worked as
> expected ... every packet on egress is translated to the outgoing ip
> address.
>

IPsec traffic flow is complicated. Have a look at enc. It's been 
instrumental in helping me fix this class of issue in several instances. 
YMMV.

https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4

Good luck! :)

-Matthew