[FreeBSD 10.0] nat before vpn, incoming packets not translated
Eric Masson
emss at free.fr
Wed Jan 29 17:52:09 UTC 2014
Eric Masson <emss at free.fr> writes:
Hi,
No idea on this subject ?
forwarding to freebsd-ipfw.
Regards
Éric Masson
> Hi,
>
> I've setup a lab to experiment nat before ipsec scenario.
> Architecture :
> - 3 host only interfaces have been set up on the host
> - 4 FreeBSD10 guests have been set up :
> - 2 clients connected to their respective gateways via dedicated host
> only interfaces.
> - 2 gateways connected together via dedicated host only interface
>
> Client 1 setup :
> <----------------------------------------------------------------->
> emss at client1:~ % more /etc/rc.conf
> hostname="client1"
> keymap="fr.iso.acc.kbd"
> ifconfig_em0="inet 192.168.11.100 netmask 255.255.255.0"
> ifconfig_em0_ipv6="inet6 accept_rtadv"
> defaultrouter="192.168.11.15"
> sshd_enable="YES"
> dumpdev="AUTO"
> sendmail_enable="NO"
> sendmail_submit_enable="NO"
> sendmail_outbound_enable="NO"
> sendmail_msp_queue_enable="NO"
> <----------------------------------------------------------------->
>
> Gateway 1 setup :
> <----------------------------------------------------------------->
> emss at gateway1:~ % more /etc/rc.conf
> hostname="gateway1"
> keymap="fr.iso.acc.kbd"
> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
> ifconfig_em1_ipv6="inet6 accept_rtadv"
> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
> gateway_enable="YES"
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> sshd_enable="YES"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> sendmail_enable="NO"
> sendmail_submit_enable="NO"
> sendmail_outbound_enable="NO"
> sendmail_msp_queue_enable="NO"
> emss at gateway1:~ % more /etc/ipfw.rules
> #!/bin/sh
> cmd="/sbin/ipfw"
> $cmd -f flush
> $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
> $cmd nat 100 config log ip 172.16.0.1 reverse
> emss at gateway1:~ % more /etc/ipsec.conf
> flush;
> spdflush;
>
> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
>
> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>
> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
> ipcomp/tunnel/10.0.0.6-10.0.0.5/require
> esp/tunnel/10.0.0.6-10.0.0.5/require;
>
> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
> ipcomp/tunnel/10.0.0.5-10.0.0.6/require
> esp/tunnel/10.0.0.5-10.0.0.6/require;
> emss at gateway1:~ % more /boot/loader.conf
> ipfw_load="YES"
> ipfw_nat_load="YES"
>
> net.inet.ip.fw.default_to_accept="1"
> <----------------------------------------------------------------->
>
> Gateway 2 setup :
> <----------------------------------------------------------------->
> emss at gateway2:~ % more /etc/rc.conf
> hostname="gateway2"
> keymap="fr.iso.acc.kbd"
> ifconfig_em1="inet 10.0.0.6 netmask 255.255.255.0"
> ifconfig_em0="inet 192.168.21.15 netmask 255.255.255.0"
> ifconfig_em0_ipv6="inet6 accept_rtadv"
> gateway_enable="YES"
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> sshd_enable="YES"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> sendmail_enable="NO"
> sendmail_submit_enable="NO"
> sendmail_outbound_enable="NO"
> sendmail_msp_queue_enable="NO"
> emss at gateway2:~ % more /etc/ipsec.conf
> flush;
> spdflush;
>
> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
>
> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>
> spdadd 192.168.21.0/24 172.16.0.1/32 any -P out ipsec
> ipcomp/tunnel/10.0.0.6-10.0.0.5/require
> esp/tunnel/10.0.0.6-10.0.0.5/require;
>
> spdadd 172.16.0.1/32 192.168.21.0/24 any -P in ipsec
> ipcomp/tunnel/10.0.0.5-10.0.0.6/require
> esp/tunnel/10.0.0.5-10.0.0.6/require;
> <----------------------------------------------------------------->
>
> Client 2 setup :
> <----------------------------------------------------------------->
> emss at client2:~ % more /etc/rc.conf
> hostname="client2"
> keymap="fr.iso.acc.kbd"
> ifconfig_em0="inet 192.168.21.100 netmask 255.255.255.0"
> ifconfig_em0_ipv6="inet6 accept_rtadv"
> defaultrouter="192.168.21.15"
> sshd_enable="YES"
> # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
> dumpdev="AUTO"
> sendmail_enable="NO"
> sendmail_submit_enable="NO"
> sendmail_outbound_enable="NO"
> sendmail_msp_queue_enable="NO"
> <----------------------------------------------------------------->
>
> Test setup by pinging client2 from client1 :
>
> On client1 :
> emss at client1:~ % ping 192.168.21.100
> PING 192.168.21.100 (192.168.21.100): 56 data bytes
>
> On gateway1 inside interface :
>
> root at gateway1:~ # tcpdump -i em1
> 17:16:08.600154 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 10499, seq 7207, length 64
> 17:16:08.600660 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 59651, seq 213, length 64
> ...
>
> On gateway1 outside interface :
> root at gateway1:~ # tcpdump -i em0
> 17:16:48.501317 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed4), length 128
> 17:16:48.501612 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed5), length 128
> 17:16:48.502665 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e67), length 128
> 17:16:48.502938 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e68), length 128
> ...
>
> On client2 :
> root at client2:~ # tcpdump -i em0
> 17:14:17.671181 IP 172.16.0.1 > 192.168.21.100: ICMP echo request, id 59651, seq 107, length 64
> 17:14:17.671230 IP 192.168.21.100 > 172.16.0.1: ICMP echo reply, id 59651, seq 107, length 64
> ...
>
> So, the only remaining issue is that gateway1 doesn't nat back ipsec
> decapsulated packets (if no nat in scenario, everything works fine).
>
> Setting net.inet.ip.fw.one_pass to 0 doesn't change anything.
>
> Any idea, please ?
>
> Regards
>
> Éric Masson
--
Intéressant votre témoignage, quoique un peu long.
Pourriez-vous en écrire davantage !
-+- LL in GNU n'a qu'un mot à dire : assez, encore ! -+-
More information about the freebsd-ipfw
mailing list