Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated

Thu, 06 Mar 2014 18:50:10 -0800 

Hi Eric,

On 1/25/14 10:28 AM, Eric Masson wrote:
> Hi,
> 
> I've setup a lab to experiment nat before ipsec scenario.
> Architecture :
> - 3 host only interfaces have been set up on the host
> - 4 FreeBSD10 guests have been set up :
>   - 2 clients connected to their respective gateways via dedicated host
>     only interfaces.
>   - 2 gateways connected together via dedicated host only interface

Trimming configs for clarity

> Gateway 1 setup :
> <----------------------------------------------------------------->
> emss@gateway1:~ % more /etc/rc.conf
> hostname="gateway1"
> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
> gateway_enable="YES"
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> emss@gateway1:~ % more /etc/ipfw.rules
> #!/bin/sh
> cmd="/sbin/ipfw"
> $cmd -f flush
> $cmd    add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24

You also need to perform NAT processing on the traffic that returns to
gateway1 from gateway2.

    $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1

> $cmd    nat 100 config log ip 172.16.0.1 reverse
> emss@gateway1:~ % more /etc/ipsec.conf
> flush;
> spdflush;
> 
> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
> 
> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
> 
> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
>   ipcomp/tunnel/10.0.0.6-10.0.0.5/require
>   esp/tunnel/10.0.0.6-10.0.0.5/require;
> 
> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
>   ipcomp/tunnel/10.0.0.5-10.0.0.6/require
>   esp/tunnel/10.0.0.5-10.0.0.6/require;
> emss@gateway1:~ % more /boot/loader.conf
> ipfw_load="YES"
> ipfw_nat_load="YES"
> 
> net.inet.ip.fw.default_to_accept="1"

I'm curious to learn whether this is sufficient. I haven't tested any
combination of NAT and IPsec.

Regards,
John

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to