NAT before IPSEC - reply packets stuck at enc0
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Jul 19 12:25:14 UTC 2017
On 19.07.2017 15:02, Muenz, Michael wrote:
> Am 19.07.2017 um 12:12 schrieb Andrey V. Elsukov:
>>
>> Try to add the following rule:
>>
>> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
>>
>> This rule will pass a decrypted packet to the NAT instance, that will
>> check in the states table should a packet be translated back or not.
>>
>> You need to have enc0 interface in UP state and sysctl variable
>> net.enc.in.ipsec_filter_mask should be set to 1 or 2.
>>
>> After translation on the enc0 a packet will be returned to the IPsec
>> subsystem, that will queue it for further processing in the netisr.
>> Since destination address become foreign, it will be forwarded by IP
>> stack.
>>
>
> Hi,
>
> I tried this but still no luck. Packets get seen by ipfw -ta list:
>
> 00179 139 3892 Wed Jul 19 14:00:21 2017 nat 1 log ip from
> 10.26.2.0/24 to 10.24.66.0/24
> 00179 143 4228 Wed Jul 19 14:00:21 2017 nat 2 log ip from
> 10.24.66.0/24 to 10.26.1.1 in recv enc0
> 65535 5891 1716730 Wed Jul 19 14:00:21 2017 allow ip from any to any
>
> But there's nothing on the internal IF. Also played around with
> filter_mask and also one_pass.
> Also tried (as you see above) with a second nat instance where reverse
> is disabled.
>
> Do you have any other clue?
>
> Really appreciate your help, thanks!
Different NAT instances will not work for the same flow, because they
have different state tables. Packets in both direction should pass
trough the same NAT instance.
What you see in tcpdump on the enc0 interface?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170719/ab3f5fd4/attachment.sig>
More information about the freebsd-net
mailing list