Odd NAT/IPSEC question -- help! :-)

Karl Denninger karl at denninger.net
Sun Apr 21 00:41:51 UTC 2013 

Here's the situation.

I have a FreeBSD-Stable 9.1 system that has been running through the
various versions of FreeBSD for the last several years.  It uses ipfw
and NAT to protect and serve PC clients along with other devices inside,
and has an outside connection as well.  The topology looks like this:

Clients[192.168.1.x/24) ---- [192.168.1.100-em0 -Server-
em1-70.169.168.7] <---> Internet

em1 has the following:
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
 options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:30:48:db:7b:a7
        inet 70.169.168.7 netmask 0xffffff80 broadcast 70.169.168.127
        inet6 fe80::230:48ff:fedb:7ba7%em1 prefixlen 64 scopeid 0x6
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

The client topology is a bit complex but from the server's perspective
looks like a single LAN (everything is effectively bridged.)

I've used LT2P/PTPP for a while to run VPN "road warrior" clients in. 
This works ok but is slow. 

Recently I obtained a BlackBerry Z-10, which only supports IKEv2 and
other similar protocols.  No big deal, I thought, so I recompiled the
kernel with the appropriate IPSEC defines in it, downloaded StrongSwan
and after much gnashing of teeth got a configuration that works.

I can connect to the gateway and see anything on it, along with anything
else on the client subnet (after a fair of screwing around that involved
placing the VPN's offered "tunnel" addresses inside of the client subnet.)

The problem is that ipfw NAT utterly refuses to translate this traffic
outbound.  What's even worse is that I can't find it anywhere with
tcpdump!  That is, if try to connect to an external web address and run
a tcpdump -i em1 host whatever-I-went-to I see nothing being emitted for
that address at all.

My "ordinary" NAT entry is simply "nat 1 ip from any to any via em1",
which works fine for ordinary "on the client" traffic; no problems with
that.  The IPSEC tunnel looks like this:

[root at NewFS /usr/local/etc]# ipsec status
Security Associations (1 up, 0 connecting):
      remote[1]: ESTABLISHED 25 minutes ago,
70.169.168.7[70.169.168.7]...208.54.35.133[karl at denninger.net]
      remote{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c717241a_i ad4563f9_o
      remote{1}:   192.168.1.0/24 === 192.168.1.71/32

And again, if I access something on the 192.168.1.x network, on or off
the gateway host, or a service on the server endpoint (e.g. the IMAP
mail server which is listening on 70.169.168.7), it works.

It appears that once the packets come into the system via ipsec they
wind up being omitted from everything _*other than*_ going either into a
local listening socket or being forwarded out the local client
interface.  I can't find them otherwise -- it's as if they disappeared! 
I have logging turned on for all "deny" ipfw firewall lines and nothing
is showing up in the log related to this.

If I can't translate those packets then I can use the VPN to get INTO
the network but I CANNOT use it to make the remote machine appears to be
PART OF the network, and that sucks.

Any ideas?
 
-- 
-- Karl Denninger
/The Market Ticker ®/ <http://market-ticker.org>
Cuda Systems LLC

More information about the freebsd-net mailing list