Re: PF: nat on ipsec

Reply: infoomatic : "Re: PF: nat on ipsec"
Reply: infoomatic : "Re: PF: nat on ipsec"
In reply to: Matthew Grooms : "Re: PF: nat on ipsec"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: André_S._Almeida <andre_at_andre.adm.br>
Date: Mon, 10 Oct 2022 15:59:50 UTC

Take a look at the sysctl option "net.inet.ipsec.filtertunnel", it needs to
be active for NAT to work with IPSec

 - Andre

Em seg., 10 de out. de 2022 às 12:52, Matthew Grooms <mgrooms@shrew.net>
escreveu:

> On 10/10/22 10:38, infoomatic wrote:
> > On 10.10.22 17:01, Matthew Grooms wrote:
> >>
> >> I'm not sure if I understood all the details here, but: NAT happens on
> >> egress. For traffic to be processed by IPsec, your traffic must have
> >> source and destination addresses that match the appropriate IPsec
> >> policy. Waiting until its being sent outbound ( where NAT occurs ) is
> >> usually too late.
> >>
> > thanks for your response. The source and destination addresses in the
> > configuration are OK. Every non-ipsec packet coming from opnsense is
> > translated as in the pf.conf on the host. The problem is: as soon as it
> > is an ipsec packet, the host does not translate it but instead forwards
> > the packet with the original private ip through the physical interface
> > with the public ip address (which of course is prohibited by a rule
> > further down in pf.conf). I have tried to add various nat + rdr rules
> > which explicitly use various protocols from /etc/protocols e.g. "proto
> > ipencap" but this does not change the behaviour. It seems like the host
> > realizes it is an ipsec packet and just refuses to nat that packet.
> >
> >
> > Out of curiosity I ordered another hardware host where I installed
> > Linux, created a VM with opnsense (with the same config, the only
> > adaption was the public ip-address in the ipsec configuration) and a
> > client on opnsense's LAN interface. I used iptables and it worked as
> > expected ... every packet on egress is translated to the outgoing ip
> > address.
> >
>
> IPsec traffic flow is complicated. Have a look at enc. It's been
> instrumental in helping me fix this class of issue in several instances.
> YMMV.
>
> https://www.freebsd.org/cgi/man.cgi?query=enc&sektion=4
>
> Good luck! :)
>
> -Matthew
>
> --
André S. Almeida
http://www.andre.adm.br
+55 (48) 98812-3932