Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated

Thu, 06 Mar 2014 22:57:23 -0800 

Hi Eric,

FreeBSD 10 seems to have problems with IPSec and filtering/nat.
Maybe your problem is related to:

        http://www.freebsd.org/cgi/query-pr.cgi?pr=185876

- Philipp


On 07 Mar 2014, at 03:48, John W. O'Brien <j...@saltant.com> wrote:

> Hi Eric,
> 
> On 1/25/14 10:28 AM, Eric Masson wrote:
>> Hi,
>> 
>> I've setup a lab to experiment nat before ipsec scenario.
>> Architecture :
>> - 3 host only interfaces have been set up on the host
>> - 4 FreeBSD10 guests have been set up :
>>  - 2 clients connected to their respective gateways via dedicated host
>>    only interfaces.
>>  - 2 gateways connected together via dedicated host only interface
> 
> Trimming configs for clarity
> 
>> Gateway 1 setup :
>> <----------------------------------------------------------------->
>> emss@gateway1:~ % more /etc/rc.conf
>> hostname="gateway1"
>> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
>> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
>> gateway_enable="YES"
>> ipsec_enable="YES"
>> ipsec_file="/etc/ipsec.conf"
>> firewall_enable="YES"
>> firewall_script="/etc/ipfw.rules"
>> firewall_logging="YES"
>> emss@gateway1:~ % more /etc/ipfw.rules
>> #!/bin/sh
>> cmd="/sbin/ipfw"
>> $cmd -f flush
>> $cmd    add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
> 
> You also need to perform NAT processing on the traffic that returns to
> gateway1 from gateway2.
> 
>    $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1
> 
>> $cmd    nat 100 config log ip 172.16.0.1 reverse
>> emss@gateway1:~ % more /etc/ipsec.conf
>> flush;
>> spdflush;
>> 
>> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
>> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
>> 
>> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
>> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>> 
>> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
>>  ipcomp/tunnel/10.0.0.6-10.0.0.5/require
>>  esp/tunnel/10.0.0.6-10.0.0.5/require;
>> 
>> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
>>  ipcomp/tunnel/10.0.0.5-10.0.0.6/require
>>  esp/tunnel/10.0.0.5-10.0.0.6/require;
>> emss@gateway1:~ % more /boot/loader.conf
>> ipfw_load="YES"
>> ipfw_nat_load="YES"
>> 
>> net.inet.ip.fw.default_to_accept="1"
> 
> I'm curious to learn whether this is sufficient. I haven't tested any
> combination of NAT and IPsec.
> 
> Regards,
> John
> 

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to