On Tue, 20 Jun 2006, Roy Morris wrote:
ok, I know I've seen this before but can't seem to find the link. I am
setting up a vpn using isakmpd and for the regular net to net stuff it
works fine. I am trying to use an alias ip on each gateway and nat to
the internal host. The isakmpd.conf would use phase one real-ip-1 and
use real-ip-2 (nat/binat)to the internal client.
Is this making sense? ..
I1 (172.30.1.2) -> GW1(10.0.1.1/24) -router - GW2(10.0.2.1/24)
I1------>NAT ----->10.0.1.2 x-router-x 10.0.2.2 NAT ->I2 (172.31.1.2)
pf.conf should? have
binat on enc0 from 172.30.1.2 to any ->10.0.1.2
and would also have /etc/hostname.xyz
inet alias 10.0.1.2
and the same stuff on the other end. Packet capture shows it using
the external interface with no nat to get out.
What am I doing wrong? - a link, doc or whack upside the head is
accepted!
thanks
Roy
Roy,
I tried for weeks to get this to work and eventually abandonned the idea
due to a deadline to just get it working. I ended up sticking another
cheap box (P133) in front of the box doing IPSEC and performing NAT on
there. Then I would create IP aliases on the NAT box as well as the IPSEC
box for those cases and that worked fine.
Problem is that the OpenBSD kernel does IPSEC flow processing before it
does NAT. So if you try to do both on the same box your packets will
not match your defined IPSEC SA because they have not yet been
NAT'd in which case they will just be dropped by the kernel.
This is from man ipsec:
-----------------------------------
NAT can also be applied to enc# interfaces, but special care should be
taken because of the interactions between NAT and the IPsec flow
match-
ing, especially on the packet output path. Inside the TCP/IP stack,
packets go through the following stages:
UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
UL/R <-------- PF/NAT(enc0) <- IPsec -> PF/NAT(IF) <- IF
With IF being the real interface and UL/R the Upper Layer or Routing
code. The [X] stage on the output path represents the point where
the
packet is matched against the IPsec flow database (SPD) to determine
if
and how the packet has to be IPsec-processed. If, at this point, it
is
determined that the packet should be IPsec-processed, it is processed
by
the PF/NAT code. Unless PF drops the packet, it will then be
IPsec-pro-
cessed, even if the packet has been modified by NAT.
---------------------------------------------
There are some older posts by Cedric that indicate at least on old
versions of OpenBSD/isakmpd you could manually add a fake flow to the SADB
using ipsecadm that basically said 170.30.1.2 -> other_side is a valid
IPSEC flow, that way the packet would be processed, then you could do NAT
on the enc0 interface and cause the source IP to be NAT'd and match the
real IPSEC flow. However I never got this working and comments from the
original post made it seem to me that this does not work in the current
version of OpenBSD. Good Luck!
-Matt-
