IPSEC transport mode and PF NAT to VIMAGE Jail

Philipp Schmid philipp.schmid at openresearch.com
Sun Feb 16 14:48:04 UTC 2014 

Hi,

I’m having trouble connecting to a NATted VNET jail from a client that uses IPsec in transport mode between the client and the server where the jail is hosted on.

The basic setup looks like:

Laptop (10.0.1.111)    <——— IPSec transport mode ———> FreeBSD 10 Server (10.0.1.178)

On the server I have a bridge called bridge0 that has the IP address 192.168.1.1
A freebsd 10 jail is running on the server with the IP 192.168.1.2

The server at 10.0.1.178 has NAT configured for 192.168.1.0/24 and redirects port 548 to 192.168.1.2.

What I’d like to achieve is that the laptop connects is able to connect to port 548 on the server which is redirected to port 548 in the jail:

	Laptop (10.0.1.111) ——> 10.0.1.178 port 548 ——> NAT ——> 192.168.1.2 port 548  (doesn’t work)

	(10.0.1.1.111)$ telnet 10.0.1.178 548
	Trying 10.0.1.178...
	telnet: connect to address 10.0.1.178: Connection refused
	telnet: Unable to connect to remote host

I have this working for clients which do not use IPsec, eg:

	Other Laptop (10.0.1.248) ——> 10.0.1.178 port 548 ——> NAT ——> 192.168.1.2 port 548  (DOES work)

	(10.0.1.248)$ telnet 10.0.1.178 548
	Trying 10.0.1.178…
	Connected to 10.0.1.178.
	Escape character is '^]'.

The IPSec tunnel between 10.0.1.111 and 10.0.1.178 is also working correctly and I can connect to any port on the 10.0.1.178 server from the 10.0.1.111 client.

This is the spd policy on the server:

	spdadd 10.0.1.178 10.0.1.111 any -P out ipsec esp/transport//require ah/transport//require;
	spdadd 10.0.1.111 10.0.1.178 any -P in ipsec esp/transport//require ah/transport//require; 

And on the client:

	spdadd 10.0.1.111 10.0.1.178 any -P out ipsec esp/transport//require ah/transport//require;
	spdadd 10.0.1.178 10.0.1.111 any -P in ipsec esp/transport//require ah/transport//require;



Any idea how to get that working?
For me it looks like if the packets arriving via IPsec are somehow passing the firewall and are not processed by pf.
I can also connect to any port from the 10.0.1.111 client on 10.0.1.178, not just the ones I allowed in /etc/pf.conf


Thank you, Philipp






-------------------------------------

My /etc/pf.conf on the server:

# interfaces and ips
ext_if="bge0"
ext_ip="10.0.1.178"

jail_if = "bridge0"
jailnet = $jail_if:network
jail_netatalk_ip = "192.168.1.2"

icmp_types = "{ echorep, echoreq, timex, unreach }"

# groups
admins  = "{ 10.0.1.111 }"
friends = "{ 10.0.1.111, 10.0.1.176, 10.0.1.248 }"

scrub in all


# dont't filter on the loopback devices
set skip on lo0

# nat jails
set skip on $jail_if
nat on $ext_if from $jail_netatalk_ip to !$jailnet -> $ext_ip
rdr on $ext_if proto tcp from any to $ext_ip port afpovertcp -> $jail_netatalk_ip port afpovertcp


# base rules
block in all
pass out all keep state


# icmp
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types keep state

# mdns multicast
pass in on $ext_if proto udp from any to 224.0.0.251/32 port 5353 keep state


# rna
pass in inet proto tcp from $admins to $ext_ip port ssh
pass in inet proto tcp from $friends to $ext_ip port afpovertcp
pass in inet proto udp from $friends to $ext_ip port mdns


# netatalk jail
pass in inet proto tcp from any to $jail_netatalk_ip port afpovertcp


# IPSec
pass in proto esp from any to any
pass in proto ah from any to any
pass in proto ipencap from any to any
pass in proto udp from $admins port=500 to $ext_ip port=500
pass out proto esp from any to any
pass out proto ah from any to any
pass out proto ipencap from any to any
pass out proto udp from $ext_ip port=500 to $admins port=500

More information about the freebsd-net mailing list