Filtering on IPSEC
Alex Dupre
ale at FreeBSD.org
Thu Jan 12 09:13:48 UTC 2012
Bjoern A. Zeeb ha scritto:
> If you are using tunnel mode and gif you'll have trouble; just use tunnel mode without gif and you'll be happy.
Done, it works and I see all packets on enc0 now, thanks.
> It's because (our) pf cannot NAT on incoming but only on outgoing interfaces. And you need to NAT on packet entry into the system...
I found a setup that seems to work in my scenario with pf, but I'm not
sure it's 100% correct. Basically I added nat on enc0 and then added a
new policy including my internal lan.
Scenario:
- virtual ip (where nat takes place): 172.22.0.5
- internal lan: 192.168.2.0/24
- other lan: 172.28.0.0/16
In pf.conf I added:
nat on enc0 from 192.168.2.0/24 to any -> 172.22.0.5
In setkey.conf I added:
spdadd 192.168.2.0/24 172.28.0.0/16 any -P out ipsec
esp/tunnel/MYEXTIP-OTHEREXTIP/require;
in addition to the "standard":
pdadd 172.28.0.0/16 172.22.0.5/32 any -P in ipsec
esp/tunnel/OTHEREXTIP-MYEXTIP/require;
spdadd 172.22.0.5/32 172.28.0.0/16 any -P out ipsec
esp/tunnel/MYEXTIP-OTHEREXTIP/require;
I'm searching for trouble or is it correct?
--
Alex Dupre
More information about the freebsd-net
mailing list