NAT before IPSEC - reply packets stuck at enc0
Muenz, Michael
m.muenz at spam-fetish.org
Wed Jul 19 12:45:51 UTC 2017
Am 19.07.2017 um 14:22 schrieb Andrey V. Elsukov:
>
> Different NAT instances will not work for the same flow, because they
> have different state tables. Packets in both direction should pass
> trough the same NAT instance.
>
> What you see in tcpdump on the enc0 interface?
>
Ok, also tried with one nat instance, same result:
ipfw nat 1 config ip 10.26.1.1 log reverse
ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
LAN Interface:
14:40:32.441506 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id
45314, seq 256, length 8
14:40:33.441565 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id
45314, seq 512, length 8
14:40:34.441635 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id
45314, seq 768, length 8
enc0 interface
14:40:32.441553 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 >
10.24.66.25: ICMP echo request, id 64122, seq 256, length 8
14:40:32.449671 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25
> 10.26.1.1: ICMP echo reply, id 64122, seq 256, length 8
14:40:33.441613 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 >
10.24.66.25: ICMP echo request, id 64122, seq 512, length 8
14:40:33.450623 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25
> 10.26.1.1: ICMP echo reply, id 64122, seq 512, length 8
14:40:34.441683 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 >
10.24.66.25: ICMP echo request, id 64122, seq 768, length 8
14:40:34.449786 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25
> 10.26.1.1: ICMP echo reply, id 64122, seq 768, length 8
ipfw -ta list
00179 4 112 Wed Jul 19 14:40:34 2017 nat 1 log ip from
10.26.2.0/24 to 10.24.66.0/24
00179 4 112 Wed Jul 19 14:40:34 2017 nat 2 log ip from
10.24.66.0/24 to 10.26.1.1 in recv enc0
Thanks,
Michael
More information about the freebsd-net
mailing list