Re: PF: nat on ipsec
- Reply: André_S._Almeida : "Re: PF: nat on ipsec"
- In reply to: infoomatic : "Re: PF: nat on ipsec"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 10 Oct 2022 15:51:33 UTC
On 10/10/22 10:38, infoomatic wrote: > On 10.10.22 17:01, Matthew Grooms wrote: >> >> I'm not sure if I understood all the details here, but: NAT happens on >> egress. For traffic to be processed by IPsec, your traffic must have >> source and destination addresses that match the appropriate IPsec >> policy. Waiting until its being sent outbound ( where NAT occurs ) is >> usually too late. >> > thanks for your response. The source and destination addresses in the > configuration are OK. Every non-ipsec packet coming from opnsense is > translated as in the pf.conf on the host. The problem is: as soon as it > is an ipsec packet, the host does not translate it but instead forwards > the packet with the original private ip through the physical interface > with the public ip address (which of course is prohibited by a rule > further down in pf.conf). I have tried to add various nat + rdr rules > which explicitly use various protocols from /etc/protocols e.g. "proto > ipencap" but this does not change the behaviour. It seems like the host > realizes it is an ipsec packet and just refuses to nat that packet. > > > Out of curiosity I ordered another hardware host where I installed > Linux, created a VM with opnsense (with the same config, the only > adaption was the public ip-address in the ipsec configuration) and a > client on opnsense's LAN interface. I used iptables and it worked as > expected ... every packet on egress is translated to the outgoing ip > address. > IPsec traffic flow is complicated. Have a look at enc. It's been instrumental in helping me fix this class of issue in several instances. YMMV. https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4 Good luck! :) -Matthew