Re: PF: nat on ipsec
- Reply: infoomatic : "Re: PF: nat on ipsec"
- In reply to: infoomatic : "PF: nat on ipsec"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 10 Oct 2022 15:01:13 UTC
On 10/10/22 02:04, infoomatic wrote: > Hi guys, > > hope someone can help me with my problem trying to NAT ipsec. The setup: > I use a FreeBSD host with an opnsense VM and a vnet jail. The host uses > em0 with an external interface, one bridge with an ipv4 address and tap > interface to connect opnsense and one bridge without ipv4 address with > tap of opnsense + epair of the jail to connect those two. Opnsense is > doing ipsec (strongswan) to our AWS infrastructure, the jail is > simulating a client on the "LAN" interface of opnsense. NAT on the host > is setup with pf and works as expected except for ipsec: so outgoing > tcp/udp packets from the jail pass through opnsense, get natted and then > pass the host where they again get natted. > > > The outgoing rules on the host > > nat pass on em0 proto udp from 192.168.251.100 to any -> $ip_out > > nat pass on em0 proto tcp from 192.168.251.100 to any -> $ip_out > > > The incoming rules redirecting ipsec traffic to opnsense > > rdr pass proto udp to $ip_out port 4500 -> 192.168.251.100 > rdr pass proto udp to $ip_out port 500 -> 192.168.251.100 > > > On the host, I can see that pf is not translating the packets, using > tcpdump on pflog0 shows me: > > 00:00:08.270916 rule 22/0(match): block out on em0: 192.168.251.100.4500 > > 3.123.51.34.4500: UDP-encap: ESP(spi=0xc1de5460,seq=0xa1), length 1272 > > 00:00:00.000010 rule 22/0(match): block out on em0: 192.168.251.100 > > 3.123.51.34: ip-proto-17 > > > where 3.123.51.34 is the ipsec endpoint on AWS side. Every other packet > outgoing from the jail shows of course the external ipv4 address, > however, as you can see above, ipsec traffic does not get translated, > packets try to pass the hosts em0 interface with the internal ipv4 > address of opnsense "WAN" interface. > > > I hope there is a solution I have not found to this strange problem, any > advice highly appreciated. Thanks! I'm not sure if I understood all the details here, but: NAT happens on egress. For traffic to be processed by IPsec, your traffic must have source and destination addresses that match the appropriate IPsec policy. Waiting until its being sent outbound ( where NAT occurs ) is usually too late. Hope this helps, -Matthew