Here's the situation.
I have a FreeBSD-Stable 9.1 system that has been running through the
various versions of FreeBSD for the last several years. It uses ipfw
and NAT to protect and serve PC clients along with other devices inside,
and has an outside connection as well. The topology looks like this:
Clients[192.168.1.x/24) ---- [192.168.1.100-em0 -Server-
em1-70.169.168.7] <---> Internet
em1 has the following:
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:30:48:db:7b:a7
inet 70.169.168.7 netmask 0xffffff80 broadcast 70.169.168.127
inet6 fe80::230:48ff:fedb:7ba7%em1 prefixlen 64 scopeid 0x6
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
The client topology is a bit complex but from the server's perspective
looks like a single LAN (everything is effectively bridged.)
I've used LT2P/PTPP for a while to run VPN "road warrior" clients in.
This works ok but is slow.
Recently I obtained a BlackBerry Z-10, which only supports IKEv2 and
other similar protocols. No big deal, I thought, so I recompiled the
kernel with the appropriate IPSEC defines in it, downloaded StrongSwan
and after much gnashing of teeth got a configuration that works.
I can connect to the gateway and see anything on it, along with anything
else on the client subnet (after a fair of screwing around that involved
placing the VPN's offered "tunnel" addresses inside of the client subnet.)
The problem is that ipfw NAT utterly refuses to translate this traffic
outbound. What's even worse is that I can't find it anywhere with
tcpdump! That is, if try to connect to an external web address and run
a tcpdump -i em1 host whatever-I-went-to I see nothing being emitted for
that address at all.
My "ordinary" NAT entry is simply "nat 1 ip from any to any via em1",
which works fine for ordinary "on the client" traffic; no problems with
that. The IPSEC tunnel looks like this:
[root@NewFS /usr/local/etc]# ipsec status
Security Associations (1 up, 0 connecting):
remote[1]: ESTABLISHED 25 minutes ago,
70.169.168.7[70.169.168.7]...208.54.35.133[k...@denninger.net]
remote{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c717241a_i ad4563f9_o
remote{1}: 192.168.1.0/24 === 192.168.1.71/32
And again, if I access something on the 192.168.1.x network, on or off
the gateway host, or a service on the server endpoint (e.g. the IMAP
mail server which is listening on 70.169.168.7), it works.
It appears that once the packets come into the system via ipsec they
wind up being omitted from everything _*other than*_ going either into a
local listening socket or being forwarded out the local client
interface. I can't find them otherwise -- it's as if they disappeared!
I have logging turned on for all "deny" ipfw firewall lines and nothing
is showing up in the log related to this.
If I can't translate those packets then I can use the VPN to get INTO
the network but I CANNOT use it to make the remote machine appears to be
PART OF the network, and that sucks.
Any ideas?
--
-- Karl Denninger
/The Market Ticker ®/ <http://market-ticker.org>
Cuda Systems LLC
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
