> -----Urspr|ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Im Auftrag von BARDOU Pierre > Gesendet: Donnerstag, 6. November 2008 15:30 > An: misc@openbsd.org > Cc: LOUIS Marc > Betreff: NAT + IPsec problem > > > Hello, > > I am trying to setup an IPsec connection. > Here is the ipsec.conf : > ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ > main auth hmac-sha1 enc aes-256 \ > quick auth hmac-sha1 enc aes-256 group modp1024 psk "xxxxxxxx" > > Tunnels go up well : > flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer > 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type > use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer > 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type > require esp tunnel from 193.164.151.35 to 212.99.28.26 spi > 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from > 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes > > As my LAN is adressed using 10.31.0.0/16, I need to nat to > 10.63.61.xxx before the tunnel. So I put this in my pf.conf : > nat from 10.31.30.1 to 193.164.151.1 -> 10.63.61.2 > > The problem is tha packets going from 10.31.30.1 to > 193.164.151.1 don't go through the tunnel, they are going to > the internet. > > Here is the pflog : > Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 > > 193.164.151.1: icmp: echo request > Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 > > 193.164.151.1: icmp: echo request > > -> Packets are going out through em0 (my inet interface) > instead of enc0 > > As pf doc says translation occurs before filtering, I don't > understand why pf can see my real adress (10.31.30.1). And > the most important : why outgoing packets -with "good" > adresses- don't go through the tunnel ? > Have I misconfigured something ? > > Thank you for your help > > -- > Cordialement, > > Pierre BARDOU > CSIM - Bureau 012 > > Midi Pyrinies Informatique Hospitalihre > 12 rue Michel Labrousse > BP93668 > F-31036 Toulouse CEDEX 1 > > Til : 05 67 31 90 84 > Fax : 05 34 61 51 00 > Mail : [EMAIL PROTECTED]
from openBSD ipsec manpage I ould guess that the decision, what flow to use is done before pf processes the packets. And as the original packets do not match the defined flows ( they are on a smaller subnet only ), the packets will go to the internet, and are not reconsidered for matching an ipsec flow after NAT has been done. I saw messages, where people have circumvented this by defining local ( lo ) interface, where the NAT can be done. Not exactly what you want do do, but might be provide some insight: http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html
