IPFW problem with passing IPSEC through in-kernel NAT
Karl Denninger
karl at denninger.net
Thu Dec 8 22:58:03 UTC 2016
Hi folks;
I have a fairly complex configuration here with IPSEC on a gateway
machine, which is working fine. However, I also wish to pass through
*client* IPSEC setup requests (which happen to be coming from cellphones
that want to use WiFi calling) as well, and have run into a problem.
T-Mobile's WiFi calling appears to set up an IPSEC tunnel back to the
company when turned on. The issue I'm running into is that while this
is *supposed* to work with a device behind a NAT router (and does in
other locations around the area) my FreeBSD gateway (which also happens
to run the IPSEC gateway) always appears to pass the *internal* address
(!) for the phone outbound, and refuses to put the setup packets through
NAT. If I shut down IPSEC on the gateway machine and remove all of its
ipfw rules it still doesn't work; I get authentication errors returned
(when looking at the data stream with tcpdump to and from the phone
device) which implies that the packets sent to the host are being
tampered with -- along with some untranslated transmissions as well.
Does anyone have a sample configuration that works with T-Mobile's WiFi
calling and FreeBSD's internal kernel NAT solution? That might be
enough for me to figure out what's going on...
FreeBSD 11.0-STABLE #13 r307318M: if the rev matters....
Thanks in advance!
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2996 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20161208/f1476588/attachment.bin>
More information about the freebsd-ipfw
mailing list