Redirecting traffic with IPSec and pf doesn't work

Attila Nagy bra at fsn.hu
Thu Jun 11 10:32:10 UTC 2009 

Hello,

What I'm trying to accomplish is the following:
- there are two machines, connected over the internet (let's call them A 
and B)
- when A tries to connect to B:port, or B to A:port (via TCP, port is 
just a TCP port, in this case, 3306) the connection should be redirected 
to a local listener, instead of the remote
- the above should only be done if I want to (I can do this with pf 
anchors or tables)
- the connection between the two machines should be secured in kernel 
space (for efficiency and performance)

I can redirect the connections in the unsecured (no IPSec) case with the 
following pf.conf (this is for machine A):
rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any to 
B_IP port 3306
(192.168.254.1 is an alias on A's lo0)

So when I do a telnet from A to B, the connection establishes and I can 
reach A's listener, instead of B's.

Now with IPSec.

ipsec.conf contains this (along with the PSK definitions):
spdadd A_IP B_IP any -P out ipsec
           esp/transport/A_IP-B_IP/default
           ah/transport/A_IP-B_IP/default;
and the same on B, with swapped orders.

IPSec between the two machines works, but the redirection doesn't.

pf.conf now has:
rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to 
B_IP port 3306

(192.168.254.1 is lo0's alias address in this case, but I've also tried 
with A's public IP and also with a gif tunnel)

What I see in pflog's output seems to be OK:
100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > B_IP.3306: S 
3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
3,sackOK,timestamp 69415267 0>
000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 192.168.254.1.3306: 
S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
3,sackOK,timestamp 69415267 0>

and the traffic shows up on enc0 as well, but is not that nice:
11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
3,sackOK,timestamp 69415267 0>
11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
B_IP.3306: R 3107058077:3107058077(0) win 0

The command, which produced the above output is:
MACHINE_A $ telnet B_IP 3306
telnet: connect to address B_IP: Interrupted system call
telnet: Unable to connect to remote host

I've tried to set net.enc.out.ipsec_filter_mask to different values 
without success, only 0x0 gave a connection refused answer, instead of 
"Interrupted system call".

This is on 7-STABLE.

Is redirecting TCP flows on IPSec secured connections impossible because 
some layering differences? (maybe the above redirects the packet with 
IPSec headers, so this causes the problem)

Thanks,

More information about the freebsd-net mailing list