NAT on IPSEC with PF

minimike · Jul 4, 2013

Hi there,

I've seted up an IPsec tunnel with five networks on FreeBSD 8.4 to an Astaro based device. One of the remote networks has the 192.168.0.39/24 subnet and it's accessible from a local network 10.253.1.0/24 like all of these networks. The network of my LAN has a 192.168.0.0/24 subnet. So I've configured my NIC from the intranet with 192.168.0.2 and put an alias with 10.253.1.1 on it.

Code:

intranet: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=401bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
	ether a0:36:9f:1f:98:44
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	inet 10.253.1.1 netmask 0xffffffff broadcast 10.253.1.1
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active

Code:

MyPublicIP -> 10.253.1.0/24 <-> 192.168.39.0 <- RemotePublicIP
                  |
MyLAN-IP -> 192.168.0.0/24

On my IPsec/PF FreeBSD system I can reach all addresses on the remote subnets. But I didn't get a successful NAT from my LAN 192.168.0.0/24 to 10.253.1 to the remote LANs working.

Is there a trick how I could do that with PF?

Cheers, Darko.

kpa · Jul 4, 2013

minimike said:
On my IPSEC/PF FreeBSD system I can reach all adresses on the remote subnets. But I didn't get a successful NAT from my LAN 192.168.0.0/24 to 10.253.1 to the remote LANs working.

Do you really mean NAT or just routing? One thing I noticed is that you have the netmask wrong on the 10.253.1.1 address, it should be 255.255.255.0 because it's in a different subnet than the main address.

minimike · Jul 5, 2013

NAT seems currently OK also. I've tried many things; more than 50 hours without success

kpa · Jul 6, 2013

I'm asking about NAT because I don't see any NAT in your description. Post your rules and relevant parts of the IPsec and networking configurations and someone may have a clue what is wrong.

throAU · Jul 10, 2013

It's not clear if you are running through a NAT between the two machines, but if you are...

If your "public IP" is actually private and then hitting the Internet somehow, the NAT box you are going through will need to allow IPsec NAT-T for your tunnel to work. You will also need to allow the relevant NAT-T ports through pf.

If you don't own the NAT box, you may need to contact those who do.

Essentially what I'm saying is this: If your encrypted payloads pass through a NAT, IPsec will break, as NAT modifies the packets in a way that is incompatible with IPsec. NAT-T is a work-around for this issue (though it does come with some inherent caveats regarding degraded security).

Crest · Jul 10, 2013

No. IPsec payloads can pass through NAPT without damage unless you use AH. The problem is in establishing the SAs (and policies).

throAU · Jul 10, 2013

Crest said:
No. IPsec Payloads can pass through NAPT without damage unless you use AH. The problem is in establishing the SAs (and policies).

Which is kinda of crucial to negotiating a connection?

(I haven't run IPsec on FreeBSD for a decade or more, I do it all on Cisco gear these days).

minimike · Jul 16, 2013