[Bug 215006] [ipsec] Unable to use pf RDR on enc0 in transport mode

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Dec 2 15:04:39 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215006

            Bug ID: 215006
           Summary: [ipsec] Unable to use pf RDR on enc0 in transport mode
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: jeromecharles.lallemand at gmail.com
                CC: bapt at FreeBSD.org

I'm trying to nat packet incoming from enc0 to an other machine.

The RDR statement in pf works for the incoming packet, but the reply from the
other machine is forwarded back to the issuer without encryption.

It might be because of the state matching on the reply, witch send back the
reply bypassing the SPD rules.

This is working flawlessly with encryption.

I’m in a gateway setup, is there any chances to get the RDR working with ipsec
in transport mode ?


Computer1 em0 | ----->IPSEC-----> | em0 Computer2 em1 | -----> | em0 Computer3
|
        10.11.1.3               172.31.0.1     10.56.1.10    10.56.1.224


Here is my setup :

ifconfig
em0 : 172.31.0.1/24
em1 : 10.56.1.10/24

pf.conf :
rdr on enc0 inet from 10.11.0.0/16 to 172.31.0.1 tag "balance-1" -> 10.56.1.224
pass all

setkey.conf :
add -4 10.11.1.3 172.31.0.1 esp 0x100 -m transport -E rijndael-cbc "This is
secret AES 256 bits key!" -A hmac-sha2-256 "This is secret HMAC 256 bits key";
add -4 172.31.0.1 10.11.1.3 esp 0x101 -m transport -E rijndael-cbc "This is
secret AES 256 bits key!" -A hmac-sha2-256 "This is secret HMAC 256 bits key";

spdadd 10.11.1.3 172.31.0.1 any -P in ipsec esp/transport//require;
spdadd 172.31.0.1 10.11.1.3 any -P out ipsec esp/transport//require;


Results:
ping -W1 -c1 -S 10.11.1.3 172.31.0.1
PING 172.31.0.1 (172.31.0.1) from 10.11.1.3: 56 data bytes

tcpdump -ni em0
11:43:31.276852 IP 10.11.1.3 > 172.31.0.1: ESP(spi=0x00000100,seq=0x16), length
120
11:43:31.277594 IP 172.31.0.1 > 10.11.1.3: ICMP echo reply, id 49496, seq 0,
length 64

Thank you for your help.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list