Redirecting traffic with IPSec and pf doesn't work

Stephen Clark sclark46 at earthlink.net
Thu Jun 11 14:12:15 UTC 2009 

Attila Nagy wrote:
> Hello,
> 
> What I'm trying to accomplish is the following:
> - there are two machines, connected over the internet (let's call them A 
> and B)
> - when A tries to connect to B:port, or B to A:port (via TCP, port is 
> just a TCP port, in this case, 3306) the connection should be redirected 
> to a local listener, instead of the remote
> - the above should only be done if I want to (I can do this with pf 
> anchors or tables)
> - the connection between the two machines should be secured in kernel 
> space (for efficiency and performance)
> 
> I can redirect the connections in the unsecured (no IPSec) case with the 
> following pf.conf (this is for machine A):
> rdr proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 3306
> pass out log on $ext_if route-to (lo0 127.0.0.1 ) proto tcp from any to 
> B_IP port 3306
> (192.168.254.1 is an alias on A's lo0)
> 
> So when I do a telnet from A to B, the connection establishes and I can 
> reach A's listener, instead of B's.
> 
> Now with IPSec.
> 
> ipsec.conf contains this (along with the PSK definitions):
> spdadd A_IP B_IP any -P out ipsec
>           esp/transport/A_IP-B_IP/default
>           ah/transport/A_IP-B_IP/default;
> and the same on B, with swapped orders.
> 
> IPSec between the two machines works, but the redirection doesn't.
> 
> pf.conf now has:
> rdr pass log proto tcp from any to B_IP port 3306 -> 192.168.254.1 port 
> 3306
> pass out log on enc0 route-to (lo0 127.0.0.1 ) proto tcp from any to 
> B_IP port 3306
> 
> (192.168.254.1 is lo0's alias address in this case, but I've also tried 
> with A's public IP and also with a gif tunnel)
> 
> What I see in pflog's output seems to be OK:
> 100. 062276 rule 6/0(match): pass out on enc0: A_IP.59940 > B_IP.3306: S 
> 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
> 3,sackOK,timestamp 69415267 0>
> 000038 rule 0/0(match): rdr in on lo0: A_IP.59940 > 192.168.254.1.3306: 
> S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
> 3,sackOK,timestamp 69415267 0>
> 
> and the traffic shows up on enc0 as well, but is not that nice:
> 11:57:36.482910 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
> B_IP.3306: S 3107058076:3107058076(0) win 65535 <mss 1460,nop,wscale 
> 3,sackOK,timestamp 69415267 0>
> 11:57:36.483009 (confidential): SPI 0x00003d55: IP A_IP.59940 > 
> B_IP.3306: R 3107058077:3107058077(0) win 0
> 
> The command, which produced the above output is:
> MACHINE_A $ telnet B_IP 3306
> telnet: connect to address B_IP: Interrupted system call
> telnet: Unable to connect to remote host
> 
> I've tried to set net.enc.out.ipsec_filter_mask to different values 
> without success, only 0x0 gave a connection refused answer, instead of 
> "Interrupted system call".
> 
> This is on 7-STABLE.
> 
> Is redirecting TCP flows on IPSec secured connections impossible because 
> some layering differences? (maybe the above redirects the packet with 
> IPSec headers, so this causes the problem)
> 
> Thanks,
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> 

I don't know on 7.x but on 6.x you have to turn on
options        IPSEC_FILTERGIF         #filter ipsec packets from a tunnel

to get packets to go thru ipfilter - I assume it is the same for pf. I had the
same problem not being able to redirect packets coming from a ipsec tunnel until
I turned this option on.

HTH,
Steve

-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

More information about the freebsd-net mailing list