[FreeBSD 10.0] nat before vpn, incoming packets not translated
Eric Masson
emss at free.fr
Sat Jan 25 15:28:15 UTC 2014
Hi,
I've setup a lab to experiment nat before ipsec scenario.
Architecture :
- 3 host only interfaces have been set up on the host
- 4 FreeBSD10 guests have been set up :
- 2 clients connected to their respective gateways via dedicated host
only interfaces.
- 2 gateways connected together via dedicated host only interface
Client 1 setup :
<----------------------------------------------------------------->
emss at client1:~ % more /etc/rc.conf
hostname="client1"
keymap="fr.iso.acc.kbd"
ifconfig_em0="inet 192.168.11.100 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 accept_rtadv"
defaultrouter="192.168.11.15"
sshd_enable="YES"
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
<----------------------------------------------------------------->
Gateway 1 setup :
<----------------------------------------------------------------->
emss at gateway1:~ % more /etc/rc.conf
hostname="gateway1"
keymap="fr.iso.acc.kbd"
ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
ifconfig_em1_ipv6="inet6 accept_rtadv"
ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
gateway_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
emss at gateway1:~ % more /etc/ipfw.rules
#!/bin/sh
cmd="/sbin/ipfw"
$cmd -f flush
$cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
$cmd nat 100 config log ip 172.16.0.1 reverse
emss at gateway1:~ % more /etc/ipsec.conf
flush;
spdflush;
add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
ipcomp/tunnel/10.0.0.6-10.0.0.5/require
esp/tunnel/10.0.0.6-10.0.0.5/require;
spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
ipcomp/tunnel/10.0.0.5-10.0.0.6/require
esp/tunnel/10.0.0.5-10.0.0.6/require;
emss at gateway1:~ % more /boot/loader.conf
ipfw_load="YES"
ipfw_nat_load="YES"
net.inet.ip.fw.default_to_accept="1"
<----------------------------------------------------------------->
Gateway 2 setup :
<----------------------------------------------------------------->
emss at gateway2:~ % more /etc/rc.conf
hostname="gateway2"
keymap="fr.iso.acc.kbd"
ifconfig_em1="inet 10.0.0.6 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.21.15 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 accept_rtadv"
gateway_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
emss at gateway2:~ % more /etc/ipsec.conf
flush;
spdflush;
add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
spdadd 192.168.21.0/24 172.16.0.1/32 any -P out ipsec
ipcomp/tunnel/10.0.0.6-10.0.0.5/require
esp/tunnel/10.0.0.6-10.0.0.5/require;
spdadd 172.16.0.1/32 192.168.21.0/24 any -P in ipsec
ipcomp/tunnel/10.0.0.5-10.0.0.6/require
esp/tunnel/10.0.0.5-10.0.0.6/require;
<----------------------------------------------------------------->
Client 2 setup :
<----------------------------------------------------------------->
emss at client2:~ % more /etc/rc.conf
hostname="client2"
keymap="fr.iso.acc.kbd"
ifconfig_em0="inet 192.168.21.100 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 accept_rtadv"
defaultrouter="192.168.21.15"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
<----------------------------------------------------------------->
Test setup by pinging client2 from client1 :
On client1 :
emss at client1:~ % ping 192.168.21.100
PING 192.168.21.100 (192.168.21.100): 56 data bytes
On gateway1 inside interface :
root at gateway1:~ # tcpdump -i em1
17:16:08.600154 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 10499, seq 7207, length 64
17:16:08.600660 IP 192.168.11.100 > 192.168.21.100: ICMP echo request, id 59651, seq 213, length 64
...
On gateway1 outside interface :
root at gateway1:~ # tcpdump -i em0
17:16:48.501317 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed4), length 128
17:16:48.501612 IP 10.0.0.5 > 10.0.0.6: ESP(spi=0x00001000,seq=0x1ed5), length 128
17:16:48.502665 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e67), length 128
17:16:48.502938 IP 10.0.0.6 > 10.0.0.5: ESP(spi=0x00001001,seq=0x1e68), length 128
...
On client2 :
root at client2:~ # tcpdump -i em0
17:14:17.671181 IP 172.16.0.1 > 192.168.21.100: ICMP echo request, id 59651, seq 107, length 64
17:14:17.671230 IP 192.168.21.100 > 172.16.0.1: ICMP echo reply, id 59651, seq 107, length 64
...
So, the only remaining issue is that gateway1 doesn't nat back ipsec
decapsulated packets (if no nat in scenario, everything works fine).
Setting net.inet.ip.fw.one_pass to 0 doesn't change anything.
Any idea, please ?
Regards
Éric Masson
--
R: >>gruik! gruik! jâðaaaaadooooore les incon*gruik*tés! :P
¯¯¯ ¯¯
c'est pas bien mon RoDouDou! tu t'obstines avec ton unicode incomplet!
-+-I in <http://www.le-gnu.net> : Unicode toujours, tu m'interresse -+-
More information about the freebsd-net
mailing list