<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><font face="Courier New">Hi list!</font><div><font face="Courier New"><br></font></div><div><font face="Courier New">I was reading and testing around with my setup for a long time, but I didn't get it. So I need to ask ;)</font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New">I'm trying to establish an VPN tunnel between a single freeBSD machine (one network card, public IP address) and an Linux-Box with openSwan installed as the gateway in front of a private network.</font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New">192.168.101.10 is the private source ip of the freeBSD box and 10.192.0.0/10 the private network behind the openSwan Gateway.</font></div><div><font face="Courier New">a.a.a.a is the public IP of the freeBSD box and b.b.b.b the public IP of the openSwan Gateway</font></div><div><font face="Courier New"><br></font></div><div><div><font face="Courier New">+-----------------+ +-----------------+ </font></div><div><font face="Courier New">| | | | </font></div><div><font face="Courier New">| freeBSD | | openSwan | </font></div><div><font face="Courier New">| Box | a.a.a.a b.b.b.b | Gateway | 10.192.0.0/10</font></div><div><font face="Courier New">| +----------------------------------------------------> Network </font></div><div><font face="Courier New">| 192.168.101.10 | | | </font></div><div><font face="Courier New">| | vpn tunnel | | </font></div><div><font face="Courier New">+-----------------+ +-----------------+ </font></div></div><div><font face="Courier New"><br></font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New">I'm using this settings. ipfw and natd is freeBSD specific, but I wonder if I miss something in the strongSwan settings, so just read this as if I have a linux iptables setting to translate the source a.a.a.a to 192.168.101.10 if the packages is targeted to 10.192.0.0/10.</font></div><div><font face="Courier New">This works in general, as the kernel trap that strongswan installed (<span style="color: rgb(51, 51, 51); line-height: 18px;">auto=route) </span>is initiating the VPN tunnel and traffic goes into the 10... network and even comes back. BUT it does not translate back to the a.a.a.a address which originated the ip traffic.</font></div><div><font face="Courier New"><br></font></div><div><font face="Courier New"><br></font></div><div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">- natd.conf looks like this:</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">CODE: SELECT ALL</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">use_sockets yes</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">same_ports yes</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">unregistered_only no</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">alias_address 192.168.101.10</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">log yes</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">log_ipfw_denied yes</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">- ipfw.rules looks like this (pass by default):</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">CODE: SELECT ALL</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">10000 0 0 divert 8668 ip from a.a.a.a to 10.192.0.0/10 via em0</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">65535 52385 7348455 allow ip from any to any</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">- ipsec.conf (Strongswan) looks like this:</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">CODE: SELECT ALL</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">conn net-net</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> mobike=no</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> left=a.a.a.a</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> leftsourceip=192.168.101.10</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> leftsubnet=192.168.101.0/24</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> right=b.b.b.b</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> rightsubnet=10.192.0.0/10</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> <a href="mailto:rightid=@snet-xxxxxxxxxxxxxxxx.com">rightid=@snet-xxxxxxxxxxxxxxxx.com</a></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> authby=secret</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"> auto=route</span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;">A sample output of tcpdump on the enc0 shows that the (in this case ldapsearch) request is going out (well masqeraded) and comes back in the tunnel directing the former source IP 192.168.101.10 but this traffic is not translated into the real IP before the outgoing NAT happens (there is no traffic (except ESP) on em0!):</span></font></div></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><div>18:02:51.998687 (authentic,confidential): SPI 0x321a366c: 192.168.101.10.29856 > 10.207.0.1.389: Flags [S], seq 1671478258, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 20002092 ecr 0], length 0</div><div> 0x0000: 0200 0000 321a 366c 000c 0000 4500 003c ....2.6l....E..<</div><div> 0x0010: 6a7e 4000 4006 7e62 c0a8 650a 0acf 0001 j~@.@.~b..e.....</div><div> 0x0020: 74a0 0185 63a0 bbf2 0000 0000 a002 ffff t...c...........</div><div> 0x0030: 4b69 0000 0204 05b4 0103 0306 0402 080a Ki..............</div><div> 0x0040: 0131 352c 0000 0000 .15,....</div><div>18:02:51.998692 (authentic,confidential): SPI 0x321a366c: a.a.a.a > b.b.b.b: 192.168.101.10.29856 > 10.207.0.1.389: Flags [S], seq 1671478258, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 20002092 ecr 0], length 0 (ipip-proto-4)</div><div> 0x0000: 0200 0000 321a 366c 000c 0000 4500 0050 ....2.6l....E..P</div><div> 0x0010: 6a7f 0000 4004 0000 538a 508a 57f5 06bb j...@...S.P.W...</div><div> 0x0020: 4500 003c 6a7e 4000 4006 9fbb c0a8 650a E..<j~@.@.....e.</div><div> 0x0030: 0acf 0001 74a0 0185 63a0 bbf2 0000 0000 ....t...c.......</div><div> 0x0040: a002 ffff 4b69 0000 0204 05b4 0103 0306 ....Ki..........</div><div> 0x0050: 0402 080a 0131 352c 0000 0000 .....15,....</div><div>18:02:52.074175 (authentic,confidential): SPI 0xc0bb7152: b.b.b.b > a.a.a.a: 10.207.0.1.389 > 192.168.101.10.29856: Flags [S.], seq 3925922511, ack 1671478259, win 16384, options [mss 1382,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 (ipip-proto-4)</div><div> 0x0000: 0200 0000 c0bb 7152 000c 0000 4500 0054 ......qR....E..T</div><div> 0x0010: a5a1 0000 3104 e140 57f5 06bb 538a 508a ....1..@W...S.P.</div><div> 0x0020: 4500 0040 7a76 0000 7e06 91bf 0acf 0001 E..@zv..~.......</div><div> 0x0030: c0a8 650a 0185 74a0 ea00 d2cf 63a0 bbf3 ..e...t.....c...</div><div> 0x0040: b012 4000 7332 0000 0204 0566 0103 0300 ..@.s2.....f....</div><div> 0x0050: 0101 080a 0000 0000 0000 0000 0101 0402 ................</div><div>18:02:52.074246 (authentic,confidential): SPI 0xc0bb7152: 10.207.0.1.389 > 192.168.101.10.29856: Flags [S.], seq 3925922511, ack 1671478259, win 16384, options [mss 1382,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0</div><div> 0x0000: 0200 0000 c0bb 7152 000c 0000 4500 0040 ......qR....E..@</div><div> 0x0010: 7a76 0000 7e06 91bf 0acf 0001 c0a8 650a zv..~.........e.</div><div> 0x0020: 0185 74a0 ea00 d2cf 63a0 bbf3 b012 4000 ..t.....c.....@.</div><div> 0x0030: 7332 0000 0204 0566 0103 0300 0101 080a s2.....f........</div><div> 0x0040: 0000 0000 0000 0000 0101 0402 ............</div></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333" face="Courier New"><span style="line-height: 18px;"><br></span></font></div><div><font color="#333333"><div style="line-height: 18px;"><font face="Courier New">So, I'm really lost on this, because it looks fine, execept the tunnel traffic is never translated back from 192.168.101.10 to a.a.a.a which was the originator.</font></div><div style="line-height: 18px;"><font face="Courier New"><br></font></div><div style="line-height: 18px;"><font face="Courier New">Is this a strongswan thing to 'bring the traffic' out of the tunnel, like it was strongswan 'putting' it in the tunnel after the masquerading happened on em0?</font></div><div style="line-height: 18px;"><font face="Courier New"><br></font></div><div style="line-height: 18px;"><font face="Courier New">One more thing: I'm able to ipfw the outgoing traffic in enc0, but it seems the incoming traffic is never matching any ipfw rules (ipfw show lists no packages on incoming direction, even if I can see them in dumping the enc0 traffic.).</font></div><div style="line-height: 18px;"><font face="Courier New"><br></font></div><div style="line-height: 18px;"><div><font face="Courier New">ipfw show</font></div><div><font face="Courier New">10010 0 0 divert 8668 ip from any to any in via enc0</font></div><div><font face="Courier New">65535 63129 9068196 allow ip from any to any</font></div></div><div style="line-height: 18px;"><font face="Courier New"><br></font></div><div style="line-height: 18px;"><font face="Courier New"><br></font></div><div><div><span style="line-height: 18px;"><font face="Courier New">I would be really happy for any hint on this issue.</font></span></div><div><span style="line-height: 18px;"><font face="Courier New"><br></font></span></div><div><span style="line-height: 18px;"><font face="Courier New">Many thanks in advance!</font></span></div><div><span style="line-height: 18px;"><font face="Courier New">Jimmy</font></span></div></div><div style="line-height: 18px;"><font face="Courier New"><br></font></div><div style="line-height: 18px;"><br></div></font></div></body></html>