Solved [Solved] NAT IPSec Traffic with PF

Hello everybody,

I am trying to get pf to NAT outgoing packets originating from an IPsec subnet, as pf simply seems not to translate the address. When routing the subnet everything works as intended. After reading the Internet, I noticed quite some threads referring that this particular one would be a known problem with FreeBSD's pf and/or its IPsec stack. I am on 10.0-RELEASE-p7 with ipsec-tools-0.8.1_7.

Does anyone know about this or have a similar setup working?

Cheers,

S.
 
Re: NAT IPSec Traffic with pf

I assume you are using IPsec in tunnel mode. I recommend you switch to a GRE tunnel protected by IPsec in transport mode if you want to route traffic. If you want to know more about filtering packets with IPsec history see the enc(4) manpage. You can use pf as a stateful firewall on enc0 with interface bound states.
 
Re: NAT IPSec Traffic with pf

Hi @Crest,

Thanks a bunch for your advice.

Unfortunately, I can't switch the mode of operation as this service is intended for mobile users only.

This combination (PF and IPsec and NAT) "seems" to be a known problem, and I wanted to know, if it is just me or a problem in general as none of the threads/posts have ever been resolved.

For example:
http://lists.freebsd.org/pipermail/freebsd-stable/2014-January/076900.html
https://forum.pfsense.org/index.php?topic=49800.0
http://lists.freebsd.org/pipermail/freebsd-pf/2013-December/007263.html

Another odd thing about this, is that with e.g. Linux (iptables and IPsec and NAT) this very configuration works without problems. I simply cannot state, why it is doing that. PF works fine, NATting other Packets is working fine, a simple routed setup works fine.
 
Last edited by a moderator:
Re: NAT IPSec Traffic with pf

There is a bug in 10.0-RELEASE with how how the kernel is tagging the mbuf allocated with IPsec packets as it gets tagged to skip firewalling. Hence PF can't NAT what it can't see. The short answer is: you need to upgrade to 10.0-STABLE or use an older version of FreeBSD.

Long answers:
http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 - The PR with the technical details.
https://forums.freebsd.org/viewtopic.php?f=7&t=45691 - Same issue and the troubleshooting that helped find it.
 
Re: NAT IPSec Traffic with pf

Well, that's more like it.

I am on 10-STABLE now and indeed, @junovitch is right. PF is now able to translate packets correctly and everything is working like it should.

Thanks for the help, @junovitch. I'm going to mark the thread as solved then.

Cheers,
S.
 
Last edited by a moderator:
Back
Top