NAT before IPSEC - reply packets stuck at enc0

Andrey V. Elsukov bu7cher at yandex.ru
Wed Jul 26 10:23:33 UTC 2017 

On 26.07.2017 12:47, Muenz, Michael wrote:
> When I type setkey -PD I get:
> 
> 10.24.66.0/24[any] 10.26.1.0/24[any] any
>         in ipsec
>         esp/tunnel/81.24.74.3-213.244.192.191/unique:2
>         created: Jul 26 11:03:53 2017  lastused: Jul 26 11:40:02 2017
>         lifetime: 9223372036854775807(s) validtime: 0(s)
>         spid=5 seq=1 pid=4292
>         refcnt=1
> 10.26.1.0/24[any] 10.24.66.0/24[any] any
>         out ipsec
>         esp/tunnel/213.244.192.191-81.24.74.3/unique:2
>         created: Jul 26 11:03:53 2017  lastused: Jul 26 11:40:02 2017
>         lifetime: 9223372036854775807(s) validtime: 0(s)
>         spid=6 seq=0 pid=4292
>         refcnt=1
> 
> 
> So it's in use.
> 
> But when I type in your command it just "hangs". Not the system, but the
> command doesn't get completed.
> 
> root at PB-FW1-FRA:~ # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24
> any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/require ;
> <waiting cursor>

You need to do it this way:
1. setkey -v -c <press Enter>
2. type the policy specification
3. press Enter and then press ^D


# setkey -v -c
spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec
esp/tunnel/213.244.192.191-81.24.74.3/unique:2 ;
^D

Also, since your policies uses "unique" level, you need to specify the
same level using "unique:N" syntax.

Also if it is interesting to you, I patched ipfw_nat to be able specify
needed direction. The patch is untested at all :)
	https://people.freebsd.org/~ae/nat_in_out.diff

You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also
ipfw(8) binary.

With this patch you can use the following commands:

ipfw nat 1 config ip 10.26.1.1 log
ipfw add 179 nat-out 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
ipfw add 179 nat-in 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0

or these:
ipfw nat 1 config ip 10.26.1.1 log reverse
ipfw add 179 nat-in 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
ipfw add 179 nat-out 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0

Or maybe guys from OpenSense can help with testing.

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170726/883f86a9/attachment.sig>

More information about the freebsd-net mailing list