On 19.07.2017 15:46, Muenz, Michael wrote: > Am 19.07.2017 um 14:22 schrieb Andrey V. Elsukov: >> >> Different NAT instances will not work for the same flow, because they >> have different state tables. Packets in both direction should pass >> trough the same NAT instance. >> >> What you see in tcpdump on the enc0 interface? >> > Ok, also tried with one nat instance, same result: > > ipfw nat 1 config ip 10.26.1.1 log reverse > ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 > ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 > > LAN Interface: > 14:40:32.441506 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id > 45314, seq 256, length 8 > 14:40:33.441565 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id > 45314, seq 512, length 8 > 14:40:34.441635 IP 10.26.2.11 > 10.24.66.25: ICMP echo request, id > 45314, seq 768, length 8 > > enc0 interface > 14:40:32.441553 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 > > 10.24.66.25: ICMP echo request, id 64122, seq 256, length 8 > 14:40:32.449671 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25 >> 10.26.1.1: ICMP echo reply, id 64122, seq 256, length 8 > 14:40:33.441613 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 > > 10.24.66.25: ICMP echo request, id 64122, seq 512, length 8 > 14:40:33.450623 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25 >> 10.26.1.1: ICMP echo reply, id 64122, seq 512, length 8 > 14:40:34.441683 (authentic,confidential): SPI 0x8fe95b44: IP 10.26.1.1 > > 10.24.66.25: ICMP echo request, id 64122, seq 768, length 8 > 14:40:34.449786 (authentic,confidential): SPI 0xcbc867ea: IP 10.24.66.25 >> 10.26.1.1: ICMP echo reply, id 64122, seq 768, length 8
Check what you will see if you set net.enc.in.ipsec_bpf_mask=3. You should see the reply two times, the second one should be with translated address. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
