NAT before IPSEC - reply packets stuck at enc0

Muenz, Michael m.muenz at spam-fetish.org
Wed Jul 26 12:32:43 UTC 2017 

Am 26.07.2017 um 12:20 schrieb Andrey V. Elsukov:
> On 26.07.2017 12:47, Muenz, Michael wrote:
>> When I type setkey -PD I get:
>>
>> 10.24.66.0/24[any] 10.26.1.0/24[any] any
>>          in ipsec
>>          esp/tunnel/81.24.74.3-213.244.192.191/unique:2
>>          created: Jul 26 11:03:53 2017  lastused: Jul 26 11:40:02 2017
>>          lifetime: 9223372036854775807(s) validtime: 0(s)
>>          spid=5 seq=1 pid=4292
>>          refcnt=1
>> 10.26.1.0/24[any] 10.24.66.0/24[any] any
>>          out ipsec
>>          esp/tunnel/213.244.192.191-81.24.74.3/unique:2
>>          created: Jul 26 11:03:53 2017  lastused: Jul 26 11:40:02 2017
>>          lifetime: 9223372036854775807(s) validtime: 0(s)
>>          spid=6 seq=0 pid=4292
>>          refcnt=1
>>
>>
>> So it's in use.
>>
>> But when I type in your command it just "hangs". Not the system, but the
>> command doesn't get completed.
>>
>> root at PB-FW1-FRA:~ # setkey -v -c spdadd -4 10.26.2.0/24 10.24.66.0/24
>> any -P out ipsec esp/tunnel/213.244.192.191-81.24.74.3/require ;
>> <waiting cursor>
> You need to do it this way:
> 1. setkey -v -c <press Enter>
> 2. type the policy specification
> 3. press Enter and then press ^D
>
>
> # setkey -v -c
> spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec
> esp/tunnel/213.244.192.191-81.24.74.3/unique:2 ;
> ^D
>
> Also, since your policies uses "unique" level, you need to specify the
> same level using "unique:N" syntax.
>
> Also if it is interesting to you, I patched ipfw_nat to be able specify
> needed direction. The patch is untested at all :)
> 	https://people.freebsd.org/~ae/nat_in_out.diff
>
> You need to rebuild ipfw(4) and ipfw_nat(4) kernel modules, and also
> ipfw(8) binary.
>
> With this patch you can use the following commands:
>
> ipfw nat 1 config ip 10.26.1.1 log
> ipfw add 179 nat-out 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
> ipfw add 179 nat-in 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
>
> or these:
> ipfw nat 1 config ip 10.26.1.1 log reverse
> ipfw add 179 nat-in 1 all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
> ipfw add 179 nat-out 1 all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
>
> Or maybe guys from OpenSense can help with testing.
>

You are a genius! Many thanks for you patience with me! Now I have a 
running setup and it also works with unpatched OPNsense kernel:

kldload ipfw_nat
ipfw nat 1 config ip 10.26.1.1 log
ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 out xmit enc0
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0

setkey -PD | grep unique
setkey -v -c
spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec 
esp/tunnel/213.244.192.191-81.24.74.3/unique:X ;
^D

Thats all! I got it running, did a reboot and then it failed everytime 
until I saw the number after unique changes.

How is this number calculated? I need this for templating the script.

Thanks for you help, you made my day/week/month/year :)


Michael

More information about the freebsd-net mailing list