NAT before IPSEC - reply packets stuck at enc0

Babak Farrokhi farrokhi at FreeBSD.org
Wed Jul 19 08:20:26 UTC 2017 

Hi,

Could this be incidentally related to this PR? [1]

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220217

On 19 Jul 2017, at 12:23, Muenz, Michael wrote:

> Hi,
>
> seems this is a rather old topic but I want to check if  there's perhaps some progress or chance to get this done.
> I'm using OPNsense based on FreeBSD11 and there's a problem with NAT before IPSEC.
>
> Some old discussions:
> https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106
> http://undeadly.org/cgi?action=article&sid=20090127205841
> https://github.com/opnsense/core/issues/440
>
> What I want to achieve is:
>
> IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works
> Peer at Site-B cannont be changed anymore, but there's a second subnet (10.26.2.0/24) on Site-A:
>
> 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B -- 10.24.66.0
>
> If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a IP for 10.24.1.0 before it hits VPN.
>
> My approach was:
>
> kldload ipfw_nat.ko
> ipfw nat 1 config ip 10.26.1.1 log reverse
> ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24
>
> So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (LAN IP Firewall-A).
>
> This works just fine and I see the replies in enc0:
> 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8
> 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.108 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8
>
> Sadly nothing else happens. My thought was it's just some kinde of state-tracking so I played around with all kinds of sysctl values, but nothing helps.
>
> Is there really no way to achieve a setup like this?
>
> Thanks,
> Michael
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170719/895a3157/attachment.sig>

More information about the freebsd-net mailing list