NAT before IPSEC - reply packets stuck at enc0
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Jul 19 08:35:21 UTC 2017
On 19.07.2017 10:53, Muenz, Michael wrote:
> Hi,
>
> seems this is a rather old topic but I want to check if there's perhaps
> some progress or chance to get this done.
> I'm using OPNsense based on FreeBSD11 and there's a problem with NAT
> before IPSEC.
>
> Some old discussions:
> https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106
> http://undeadly.org/cgi?action=article&sid=20090127205841
> https://github.com/opnsense/core/issues/440
>
> What I want to achieve is:
>
> IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works
> Peer at Site-B cannont be changed anymore, but there's a second subnet
> (10.26.2.0/24) on Site-A:
>
> 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B
> -- 10.24.66.0
>
> If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a
> IP for 10.24.1.0 before it hits VPN.
>
> My approach was:
>
> kldload ipfw_nat.ko
> ipfw nat 1 config ip 10.26.1.1 log reverse
> ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24
What about reverse NAT rule? You need to translate decrypted packets
back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address
as final destination and will not be forwarded to 10.26.2.0.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170719/b4be2ff2/attachment.sig>
More information about the freebsd-net
mailing list