NAT before IPSEC - reply packets stuck at enc0

Andrey V. Elsukov bu7cher at yandex.ru
Wed Jul 19 13:38:35 UTC 2017 

On 19.07.2017 15:46, Muenz, Michael wrote:
> Am 19.07.2017 um 14:22 schrieb Andrey V. Elsukov:
>>
>> Different NAT instances will not work for the same flow, because they
>> have different state tables. Packets in both direction should pass
>> trough the same NAT instance.
>>
>> What you see in tcpdump on the enc0 interface?
>>
> Ok, also tried with one nat instance, same result:
> 
> ipfw nat 1 config ip 10.26.1.1 log reverse
> ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24
> ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
> 
> LAN Interface:
> 14:40:32.441506 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id
> 45314, seq 256, length 8
> 14:40:33.441565 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id
> 45314, seq 512, length 8
> 14:40:34.441635 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id
> 45314, seq 768, length 8
> 
> enc0 interface
> 14:40:32.441553 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 >
> 10.24.66.25: ICMP echo request, id 64122, seq 256, length 8
> 14:40:32.449671 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25
>> 10.26.1.1: ICMP echo reply, id 64122, seq 256, length 8
> 14:40:33.441613 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 >
> 10.24.66.25: ICMP echo request, id 64122, seq 512, length 8
> 14:40:33.450623 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25
>> 10.26.1.1: ICMP echo reply, id 64122, seq 512, length 8
> 14:40:34.441683 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 >
> 10.24.66.25: ICMP echo request, id 64122, seq 768, length 8
> 14:40:34.449786 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25
>> 10.26.1.1: ICMP echo reply, id 64122, seq 768, length 8

Check what you will see if you set net.enc.in.ipsec_bpf_mask=3.
You should see the reply two times, the second one should be with
translated address.

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170719/16e929ba/attachment.sig>

More information about the freebsd-net mailing list