FreeBSD-STABLE 10 r263037MConfiguration has outside IPSEC connections coming in to Strongswan which should then be able to NAT back out to the Internet. The premise here is that "roaming" people may connect to this box and obtain both access to "inside" resources and outside Internet access, since the client points default at the IPSEC'd connection.
This used to work on 9.1, but am uncertain whether it has since. It does NOT under 10.0. [root@Gateway /disk/karl]# ipsec status Security Associations (1 up, 0 connecting):XX[3]: ESTABLISHED 5 minutes ago, x.x.x.x[C=US, ST=xx, O=xxx, CN=the.dom.ain, E=xxxxx]...172.56.20.235[xxxxx]
BB10{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: c90f5d36_i 4160832e_o
BB10{3}: 0.0.0.0/0 === 192.168.2.1/32
[root@Gateway /disk/karl]#
Ok, so theoretically there's a default route from the device, which is
fine. And the device (on 192.168.2.1, which was dynamically assigned
from a pool) can see anything internal on this external box (x.x.x.x) I
can successfully mount a samba share, for example, on a server that is
inside the firewall and I can also see the DNS resolver on the gateway.
However, let's now try to go out to an external location via an IP address. We'll watch it using TCPDUMP on em1, the interface that the packets are going to be emitted from toward the Internet:
[root@NewFS /disk/karl]# tcpdump -i em1 host 173.245.6.22817:07:06.524487 IP 192.168.2.1.14927 > 173.245.6.228.http: Flags [S], seq 150879940, win 65535, options [mss 1188,nop,wscale 6,sackOK,nop,nop,nop,nop,TS val 778723856 ecr 0], length 0 17:07:19.741732 IP 192.168.2.1.16697 > 173.245.6.228.http: Flags [S], seq 2513053141, win 65535, options [mss 1188,nop,wscale 6,sackOK,nop,nop,nop,nop,TS val 778723883 ecr 0], length 0 17:07:20.797330 IP 192.168.2.1.16697 > 173.245.6.228.http: Flags [S], seq 2513053141, win 65535, options [mss 1188,nop,wscale 6,sackOK,nop,nop,nop,nop,TS val 778723884 ecr 0], length 0 17:07:22.706839 IP 192.168.2.1.16697 > 173.245.6.228.http: Flags [S], seq 2513053141, win 65535, options [mss 1188,nop,wscale 6,sackOK,nop,nop,nop,nop,TS val 778723888 ecr 0], length 0
Ehhh...... that's no good. natd never gets the packets and never translates them; it sure looks like we're trying to blow a private IP number out the wire despite:
01700 divert 8668 ip4 from any to any via em1 01710 divert 8668 ip4 from 192.168.2.0/24 to any via em1 and ahead of that (to prevent exactly this sort of thing) 01120 deny log ip from any to 192.168.0.0/16 via em1 not ipsec Which by the way does NOT log anything. net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_to_accept: 0 net.inet.ip.fw.static_count: 108 net.inet.ip.fw.enable: 1 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 3 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 one_pass is off.And there is nothing being blocked either; all the "deny" entries have "log" on them and there's nothing showing up in the logfile (there's plenty of random people trying to port scan me that ARE showing up, however, so I know the log is working properly.)
It *looks* like anything coming in through IPSEC and being decoded in there never goes through the ipfw chain at all.....
-- -- Karl k...@denninger.net
smime.p7s
Description: S/MIME Cryptographic Signature
