Hi, Could this be incidentally related to this PR? [1]
[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220217 On 19 Jul 2017, at 12:23, Muenz, Michael wrote: > Hi, > > seems this is a rather old topic but I want to check if there's perhaps some > progress or chance to get this done. > I'm using OPNsense based on FreeBSD11 and there's a problem with NAT before > IPSEC. > > Some old discussions: > https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106 > http://undeadly.org/cgi?action=article&sid=20090127205841 > https://github.com/opnsense/core/issues/440 > > What I want to achieve is: > > IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works > Peer at Site-B cannont be changed anymore, but there's a second subnet > (10.26.2.0/24) on Site-A: > > 10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B -- > 10.24.66.0 > > If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a IP > for 10.24.1.0 before it hits VPN. > > My approach was: > > kldload ipfw_nat.ko > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 > > So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1 (LAN IP > Firewall-A). > > This works just fine and I see the replies in enc0: > 09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 > > 10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8 > 09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP 10.24.66.108 > > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8 > > Sadly nothing else happens. My thought was it's just some kinde of > state-tracking so I played around with all kinds of sysctl values, but > nothing helps. > > Is there really no way to achieve a setup like this? > > Thanks, > Michael > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
signature.asc
Description: OpenPGP digital signature
