nbari
July 7th, 2009, 05:32
Hi, I have a server with multiple public ip's (each per jail), on on jail I need a VPN-ipsec for doing so I created the ipsec tunnel on the main host using has PEAR the jail IP and later using pf just redirect-nat trafic to the jail doing something like this:
nat pass on gif0 from 77.128.37.144 to 10.0.0.1 -> gif0
rdr pass on gif0 inet proto tcp from any to any port 8090 -> 77.128.37.144 port 8090
<host B 10.0.0.1><----internet---><host FBSD host 77.128.37.140><==jails 77.128.37.140-144
this is the output of ifconfig:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 77.128.37.144 --> 67.228.78.163
inet 192.168.1.1 --> 10.0.0.1 netmask 0xffffffff
if ipsec is not running the redirection and nat work fine, from the jail 77.128.37.144 I can ping the private host B 10.0.0.1 and connect to port 8090 and also machines from host B can telnet/ping port 8090 on 77.128.37.144.
but if I enable ipsec and when the trafic becomes encrypted I can not route/nat the trafic.
what I need is to be available to connect from jail ip 77.128.37.144 to 10.0.0.1 on port 8090.
right now I am solving this with jumpgate (a TCP connection forwarder) running it from the master host but is there a way of doing the same with pf ?
my kernel has the following options:
options IPSEC
options IPSEC_FILTERTUNNEL
options IPSEC_DEBUG
device crypto
device enc
Any ideas ?
regards.
nat pass on gif0 from 77.128.37.144 to 10.0.0.1 -> gif0
rdr pass on gif0 inet proto tcp from any to any port 8090 -> 77.128.37.144 port 8090
<host B 10.0.0.1><----internet---><host FBSD host 77.128.37.140><==jails 77.128.37.140-144
this is the output of ifconfig:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 77.128.37.144 --> 67.228.78.163
inet 192.168.1.1 --> 10.0.0.1 netmask 0xffffffff
if ipsec is not running the redirection and nat work fine, from the jail 77.128.37.144 I can ping the private host B 10.0.0.1 and connect to port 8090 and also machines from host B can telnet/ping port 8090 on 77.128.37.144.
but if I enable ipsec and when the trafic becomes encrypted I can not route/nat the trafic.
what I need is to be available to connect from jail ip 77.128.37.144 to 10.0.0.1 on port 8090.
right now I am solving this with jumpgate (a TCP connection forwarder) running it from the master host but is there a way of doing the same with pf ?
my kernel has the following options:
options IPSEC
options IPSEC_FILTERTUNNEL
options IPSEC_DEBUG
device crypto
device enc
Any ideas ?
regards.