Redirecting traffic with IPSec and pf doesn't work

Attila Nagy bra at fsn.hu
Thu Jun 11 14:48:13 UTC 2009 

Stephen Clark wrote:
> Attila Nagy wrote:
>> Hello,
>>
>> What I'm trying to accomplish is the following:
>> - there are two machines, connected over the internet (let's call 
>> them A and B)
>> - when A tries to connect to B:port, or B to A:port (via TCP, port is 
>> just a TCP port, in this case, 3306) the connection should be 
>> redirected to a local listener, instead of the remote
>> - the above should only be done if I want to (I can do this with pf 
>> anchors or tables)
>> - the connection between the two machines should be secured in kernel 
>> space (for efficiency and performance)
>>
>> I can redirect the connections in the unsecured (no IPSec) case with 
>> the following pf.conf (this is for machine A):
>> rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
>> pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any 
>> to B_IP port 3306
>> (192.168.254.1 is an alias on A's lo0)
>>
>> So when I do a telnet from A to B, the connection establishes and I 
>> can reach A's listener, instead of B's.
>>
>> Now with IPSec.
>>
>> ipsec.conf contains this (along with the PSK definitions):
>> spdadd A_IP B_IP any -P out ipsec
>>           esp/transport/A_IP-B_IP/default
>>           ah/transport/A_IP-B_IP/default;
>> and the same on B, with swapped orders.
>>
>> IPSec between the two machines works, but the redirection doesn't.
>>
>> pf.conf now has:
>> rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 
>> port 3306
>> pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to 
>> B_IP port 3306
>>
>> (192.168.254.1 is lo0's alias address in this case, but I've also 
>> tried with A's public IP and also with a gif tunnel)
>>
>> What I see in pflog's output seems to be OK:
>> 100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > 
>> B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
>> 3,sackOK,timestamp 69415267 0>
>> 000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 
>> 192.168.254.1.3306: S 3107058076:3107058076(0) win 65535 <mss 
>> 1460,nop,wscale 3,sackOK,timestamp 69415267 0>
>>
>> and the traffic shows up on enc0 as well, but is not that nice:
>> 11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
>> B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
>> 3,sackOK,timestamp 69415267 0>
>> 11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
>> B_IP.3306: R 3107058077:3107058077(0) win 0
>>
>> The command, which produced the above output is:
>> MACHINE_A $ telnet B_IP 3306
>> telnet: connect to address B_IP: Interrupted system call
>> telnet: Unable to connect to remote host
>>
>> I've tried to set net.enc.out.ipsec_filter_mask to different values 
>> without success, only 0x0 gave a connection refused answer, instead 
>> of "Interrupted system call".
>>
>> This is on 7-STABLE.
>>
>> Is redirecting TCP flows on IPSec secured connections impossible 
>> because some layering differences? (maybe the above redirects the 
>> packet with IPSec headers, so this causes the problem)
>>
>> Thanks,
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
> I don't know on 7.x but on 6.x you have to turn on
> options        IPSEC_FILTERGIF         #filter ipsec packets from a 
> tunnel
>
> to get packets to go thru ipfilter - I assume it is the same for pf. I 
> had the
> same problem not being able to redirect packets coming from a ipsec 
> tunnel until
> I turned this option on.
Yes, but I'm sending, not receiving. So I want to redirect on the sender 
side....

More information about the freebsd-net mailing list