Am 25.07.2017 um 10:43 schrieb Muenz, Michael:
Am 25.07.2017 um 10:22 schrieb Andrey V. Elsukov:
ICMP request should be matched by outbound IPsec policy. Looking to your
tcpdump, you use tunnel IPsec mode. So, how this should work:
* 10.26.2.N sends ICMP request to 10.24.66.25
* 10.26.1.1 handles it by tunnel mode IPsec security policy,
something like:
spdadd -4 10.26.2.0/24 10.24.66.0/24 any -P out ipsec \
esp/tunnel/213.244.192.191-81.24.74.3/require;
* IPsec code does lookup for IPsec SA and uses something like:
add 213.244.192.191 81.24.74.3 esp 0x2478d746 -m tunnel -E ...;
Thanks for the detailed explaination! I only know the insights with
Linux, but what I try to achieve is, not to build a SA fpr 10.26.2.0
to 10.24.66.0.
So IMHO the address rewriting from 10.26.2 to 10.26.1 should be done
before getting to the IPSEC process.
In Linux a packet not matching a SA would simply be dropped by kernel
or throw a "NO PROPOSAL CHOSEN" since there's no known SA for
10.26.2.0 to 10.24.66.0.
I'll try to reach out the OPNsense guys if they are willing to patch a
new kernel for me.
Thanks!
Michael
This is the output with the new kernel:
14:02:53.960436 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0,
ttl 63, id 6287, offset 0, flags [none], proto ICMP (1), length 28, bad
cksum b07 (->c07)!)
10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8
14:02:53.960460 (authentic,confidential): SPI 0xdeda7104: IP (tos 0x0,
ttl 64, id 32607, offset 0, flags [none], proto IPIP (4), length 48, bad
cksum 0 (->c99b)!)
213.244.192.191 > 81.24.74.3: IP (tos 0x0, ttl 63, id 6287, offset
0, flags [none], proto ICMP (1), length 28)
10.26.1.1 > 10.24.66.25: ICMP echo request, id 38600, seq 0, length 8
14:02:53.968634 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0,
ttl 58, id 18352, offset 0, flags [none], proto IPIP (4), length 48)
81.24.74.3 > 213.244.192.191: IP (tos 0x0, ttl 63, id 38328, offset
0, flags [none], proto ICMP (1), length 28)
10.24.66.25 > 10.26.1.1: ICMP echo reply, id 38600, seq 0, length 8
14:02:53.968653 (authentic,confidential): SPI 0xcdea472d: IP (tos 0x0,
ttl 63, id 38328, offset 0, flags [none], proto ICMP (1), length 28)
10.26.1.1 > 10.26.1.1: ICMP echo reply, id 44919, seq 0, length 8
So the most specific nat rule in order to get the packet into enc0 is:
ipfw nat 1 config ip 10.26.1.1 log reverse
ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24 in recv vtnet1
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
Thanks!
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
