NAT before IPSEC - reply packets stuck at enc0
Muenz, Michael
m.muenz at spam-fetish.org
Wed Jul 19 08:02:51 UTC 2017
Hi,
seems this is a rather old topic but I want to check if there's perhaps
some progress or chance to get this done.
I'm using OPNsense based on FreeBSD11 and there's a problem with NAT
before IPSEC.
Some old discussions:
https://forum.pfsense.org/index.php?topic=49800.msg265106#msg265106
http://undeadly.org/cgi?action=article&sid=20090127205841
https://github.com/opnsense/core/issues/440
What I want to achieve is:
IPSEC between 10.26.1.0/24 to 10.24.66.0/24 (works
Peer at Site-B cannont be changed anymore, but there's a second subnet
(10.26.2.0/24) on Site-A:
10.26.2.0 -- Router-A -- 10.26.1.0 -- Firewall-A --- VPN --- Firewall-B
-- 10.24.66.0
If 10.26.2.0 wants to reach 10.24.66.0 I'd have to NAT the packets to a
IP for 10.24.1.0 before it hits VPN.
My approach was:
kldload ipfw_nat.ko
ipfw nat 1 config ip 10.26.1.1 log reverse
ipfw add 179 nat 1 log all from 10.26.2.0/24 to 10.24.66.0/24
So all packets from 10.26.2. to 10.24.66 will nattet to IP 10.26.1.1
(LAN IP Firewall-A).
This works just fine and I see the replies in enc0:
09:51:21.213003 (authentic,confidential): SPI 0x4f58b82d: IP 10.26.1.1 >
10.24.66.108: ICMP echo request, id 57714, seq 2315, length 8
09:51:21.221789 (authentic,confidential): SPI 0xcc28e9af: IP
10.24.66.108 > 10.26.1.1: ICMP echo reply, id 57714, seq 2315, length 8
Sadly nothing else happens. My thought was it's just some kinde of
state-tracking so I played around with all kinds of sysctl values, but
nothing helps.
Is there really no way to achieve a setup like this?
Thanks,
Michael
More information about the freebsd-net
mailing list