NAT before IPSEC - reply packets stuck at enc0
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Jul 19 10:15:22 UTC 2017
On 19.07.2017 12:27, Muenz, Michael wrote:
> Am 19.07.2017 um 10:32 schrieb Andrey V. Elsukov:
>>
>> What about reverse NAT rule? You need to translate decrypted packets
>> back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address
>> as final destination and will not be forwarded to 10.26.2.0.
>>
>
> Hi Andrey,
>
> I'm not really familiar with ipfw syntax, I'm more the linux guy and
> there the state you be tracked.
> How should I build the rules to do the reverse nat? I'm googling for 2
> days now but I only found port redirects for this.
Try to add the following rule:
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
This rule will pass a decrypted packet to the NAT instance, that will
check in the states table should a packet be translated back or not.
You need to have enc0 interface in UP state and sysctl variable
net.enc.in.ipsec_filter_mask should be set to 1 or 2.
After translation on the enc0 a packet will be returned to the IPsec
subsystem, that will queue it for further processing in the netisr.
Since destination address become foreign, it will be forwarded by IP stack.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170719/572e41cd/attachment.sig>
More information about the freebsd-net
mailing list