[FreeBSD 10.0] nat before vpn, incoming packets not translated
John W. O'Brien
john at saltant.com
Fri Mar 7 02:48:23 UTC 2014
Hi Eric,
On 1/25/14 10:28 AM, Eric Masson wrote:
> Hi,
>
> I've setup a lab to experiment nat before ipsec scenario.
> Architecture :
> - 3 host only interfaces have been set up on the host
> - 4 FreeBSD10 guests have been set up :
> - 2 clients connected to their respective gateways via dedicated host
> only interfaces.
> - 2 gateways connected together via dedicated host only interface
Trimming configs for clarity
> Gateway 1 setup :
> <----------------------------------------------------------------->
> emss at gateway1:~ % more /etc/rc.conf
> hostname="gateway1"
> ifconfig_em1="inet 192.168.11.15 netmask 255.255.255.0"
> ifconfig_em0="inet 10.0.0.5 netmask 255.255.255.0"
> gateway_enable="YES"
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> emss at gateway1:~ % more /etc/ipfw.rules
> #!/bin/sh
> cmd="/sbin/ipfw"
> $cmd -f flush
> $cmd add 00100 nat 100 all from 192.168.11.0/24 to 192.168.21.0/24
You also need to perform NAT processing on the traffic that returns to
gateway1 from gateway2.
$cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1
> $cmd nat 100 config log ip 172.16.0.1 reverse
> emss at gateway1:~ % more /etc/ipsec.conf
> flush;
> spdflush;
>
> add 10.0.0.5 10.0.0.6 esp 0x1000 -E 3des-cbc "123456789012345678901234";
> add 10.0.0.6 10.0.0.5 esp 0x1001 -E 3des-cbc "432109876543210987654321";
>
> add 10.0.0.5 10.0.0.6 ipcomp 0x2000 -C deflate;
> add 10.0.0.6 10.0.0.5 ipcomp 0x2001 -C deflate;
>
> spdadd 192.168.21.0/24 172.16.0.1/32 any -P in ipsec
> ipcomp/tunnel/10.0.0.6-10.0.0.5/require
> esp/tunnel/10.0.0.6-10.0.0.5/require;
>
> spdadd 172.16.0.1/32 192.168.21.0/24 any -P out ipsec
> ipcomp/tunnel/10.0.0.5-10.0.0.6/require
> esp/tunnel/10.0.0.5-10.0.0.6/require;
> emss at gateway1:~ % more /boot/loader.conf
> ipfw_load="YES"
> ipfw_nat_load="YES"
>
> net.inet.ip.fw.default_to_accept="1"
I'm curious to learn whether this is sufficient. I haven't tested any
combination of NAT and IPsec.
Regards,
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140306/95a883db/attachment-0001.sig>
More information about the freebsd-net
mailing list