Strongswan problem (used to work for client NAT to the Internet, no longer does) [[RESOLVED]]

[Karl Denninger]

On 3/23/2014 10:57 AM, Karl Denninger wrote:
>
> On 3/23/2014 12:01 AM, Karl Denninger wrote:
>>
>> On 3/22/2014 5:44 PM, Karl Denninger wrote:
>>> FreeBSD-STABLE 10 r263037M
>>>
>>>
>>> It *looks* like anything coming in through IPSEC and being decoded 
>>> in there never goes through the ipfw chain at all.....
>>>
>> This may be addressed by PR185876.... checking.
>>
> Or not....
>
> Now the packets just disappear entirely.  Still investigating....
>
Got it.

With the patches you have to be verrrry careful with the nat, and make 
sure you first explicitly *exclude* NAT processing from IPSEC-related 
packets (which DO have their tags properly carried forward now) and then 
you must also explicitly process NAT *outbound only* for IPSEC-outbound 
packets that arrive coming inward.

In other words, with pr185876 on your system, assuming 192.168.2.0/24 is 
your IPSEC pool and the Internet-accessible interface is em1, you need 
the following fragments if you want NAT to the Internet at-large to work 
for IPSEC-connected clients:

01700 divert 8668 ip4 from any to any not ipsec via em1
01705 divert 8668 ip4 from 192.168.2.0/24 to any ipsec xmit em1

To process all NAT-related traffic EXCEPT outbound IPSEC-related, and 
then to explicitly process *only* outbound IPSEC related packets (and 
not inbound ones, which are picked up by the first rule already)

That works.

pr185876's fixes must be in your system, and because they change header 
definitions you must rebuild world, not just the kernel.

-- 
-- Karl
karl at denninger.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140323/b87906f3/attachment.bin>