Hi Everybody, I'm posting after reading many many threads on this forum.
I've this kind of configuration in which I would like to route my clients traffic throught a FreeBSD gateway connected to the corporate network via IPSec.
An IPSec connection is successfully established with strongswan between FreeBSD to corporate VPN server and then, after connection I've an ipsec0 point to point interface with inet 10.10.10.68:
At this point on FreeBSD server everything works through IPSec, I can reach every host in my corporate network.
My goal is permit to clients to reach same resources via ipfw with nat and routing.
This is the relevant part of /etc/rc.conf
This is the /etc/ipfw.rules file:
On clients I added a route for the network 10.0.0.0/8 (corporate network) via 192.168.1.251 (FreeBSD) but I cannot reach any destination ip.
Starting a ping (but is true on any kind of connection) from a client to a corporate IP, I can see this from a tcpdump taken on FreeBSD:
The outbound NAT is made correctly, the request reaches the destination and the destination reply but unfortunately everything ends on the point to point interface of FreeBSD.
No packet coming back to originating IP (of network 192.168.1.0./24).
Obviously if I start the same request directly on FreeBSD it works correctly.
I tried the same configuration with PF, ipfw and natd and ipfw with kernel nat. I always get the same behavior.
Into /etc/sysctl.conf with
nothing change.
At this point a thing, I believe I'm missing some piece of configuration about NAT but I'm struggling from days without find a suitable solution.
I'm also using the same configuration on Oracle Linux and Ubuntu using iptables with MASQUERADE and works without any issue.
I need your help if possible to figure out where I'm going wrong.
Many Thanks,
Regards.
Fabio.
I've this kind of configuration in which I would like to route my clients traffic throught a FreeBSD gateway connected to the corporate network via IPSec.
Code:
(Clients) : 192.168.1.0/24 -> (FBSD 13.1-RELEASE-p3) : 192.168.1.251 -> (corporate ipsec vpn) with internet public ip (X.X.X.X)
An IPSec connection is successfully established with strongswan between FreeBSD to corporate VPN server and then, after connection I've an ipsec0 point to point interface with inet 10.10.10.68:
Code:
ipsec0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1400
tunnel inet 192.168.1.251 --> X.X.X.X
inet 10.10.10.68 --> 10.10.10.68 netmask 0xff000000
groups: ipsec
reqid: 100
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
At this point on FreeBSD server everything works through IPSec, I can reach every host in my corporate network.
My goal is permit to clients to reach same resources via ipfw with nat and routing.
This is the relevant part of /etc/rc.conf
Code:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.rules"
strongswan_enable="YES"
This is the /etc/ipfw.rules file:
Code:
#!/bin/sh
WAN="ipsec0"
LAN="em0"
CMD="/sbin/ipfw -q"
$CMD flush
$CMD nat 1 config if $WAN same_ports unreg_only reset
$CMD add 10 allow ip from any to any via $LAN
$CMD add 20 allow ip from any to any via em1
$CMD add 30 allow ip from any to any via lo0
$CMD add 40 reass all from any to any in
# NAT rule for incomming packets.
$CMD add 100 nat 1 ip4 from any to any in recv $WAN
$CMD add 101 check-state
# Allow all other outgoing connections.
$CMD add 2000 skipto 10000 tcp from any to any out xmit $WAN setup keep-state
$CMD add 2010 skipto 10000 udp from any to any out xmit $WAN keep-state
$CMD add 2010 skipto 10000 icmp from any to any out xmit $WAN keep-state
# NAT rule for outgoing packets.
$CMD add 10000 nat 1 ip4 from any to any out xmit $WAN
# Allow anything else – just in case IPFW is not configured as open firewall.
$CMD add 65534 allow ip from any to any
On clients I added a route for the network 10.0.0.0/8 (corporate network) via 192.168.1.251 (FreeBSD) but I cannot reach any destination ip.
Starting a ping (but is true on any kind of connection) from a client to a corporate IP, I can see this from a tcpdump taken on FreeBSD:
Code:
14:52:35.136304 IP 10.10.10.68 > 10.78.176.26: ICMP echo request, id 58574, seq 0, length 64
14:52:35.147521 IP 10.78.176.26 > 10.10.10.68: ICMP echo reply, id 58574, seq 0, length 64
14:52:36.157796 IP 10.10.10.68 > 10.78.176.26: ICMP echo request, id 58574, seq 1, length 64
14:52:36.170614 IP 10.78.176.26 > 10.10.10.68: ICMP echo reply, id 58574, seq 1, length 64
14:52:37.206671 IP 10.10.10.68 > 10.78.176.26: ICMP echo request, id 58574, seq 2, length 64
14:52:37.217198 IP 10.78.176.26 > 10.10.10.43: ICMP echo reply, id 58574, seq 2, length 64
The outbound NAT is made correctly, the request reaches the destination and the destination reply but unfortunately everything ends on the point to point interface of FreeBSD.
No packet coming back to originating IP (of network 192.168.1.0./24).
Obviously if I start the same request directly on FreeBSD it works correctly.
I tried the same configuration with PF, ipfw and natd and ipfw with kernel nat. I always get the same behavior.
Into /etc/sysctl.conf with
Code:
net.inet.ip.fw.one_pass=1 or net.inet.ip.fw.one_pass=0
At this point a thing, I believe I'm missing some piece of configuration about NAT but I'm struggling from days without find a suitable solution.
I'm also using the same configuration on Oracle Linux and Ubuntu using iptables with MASQUERADE and works without any issue.
I need your help if possible to figure out where I'm going wrong.
Many Thanks,
Regards.
Fabio.