Re: Using PF to NAT internal addresses over an IPSec link
Well, I've got it. It turns out it's kind of easy, although not as pretty as it could be. Basically, you use relayd. The one caveat is that this means that from the OpenBSD box, you need to be able to talk to the remote, private IPs without binding to a particular address. In relayd.conf, you enable relays on a port-by-port basis, so you can't allow blanket access.
Re: Using PF to NAT internal addresses over an IPSec link
On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) Did you need to configure this on both ends? If I add a flow routing my network to the remote IP the packets never seem to get to enc0; it looks like isakmpd is stuck trying to negotiate something with the remove end. From what I can tell I need an SA for packets to get routed over enc0. In ipsec.conf I have: ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des group none \ psk yarg which lets me ping 172.25.0.1 from A.B.C.D. To route packets to 172.25.0.1 I am using flow from any to 172.25.0.1 peer W.X.Y.Z This does create appropriate encap entries in the routing tables, but I never see anything hit enc0.
Re: Using PF to NAT internal addresses over an IPSec link
Of course, as it is a testing environment it is a lot easier to make it work for me... On the remote side, a configured something like this (I suppose they have something of this kind on the other side) : ike passive esp from 172.25.0.1 to A.B.C.D And on the local server side, all I have is : ike esp from any to 172.25.0.1 peer W.X.Y.Z Never tried to use the flow directives as you did. I suppose that if as you said you have correct encap routes, packets headed to 172.25.0.1 should definitely go through enc0, then if you set nat on enc0, it should work as it does for me. Could you paste and show us the output of netstat -rnf encap and also if possible your pf.conf ? Regards, William 2008/8/15 Toby Burress [EMAIL PROTECTED]: On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) Did you need to configure this on both ends? If I add a flow routing my network to the remote IP the packets never seem to get to enc0; it looks like isakmpd is stuck trying to negotiate something with the remove end. From what I can tell I need an SA for packets to get routed over enc0. In ipsec.conf I have: ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des group none \ psk yarg which lets me ping 172.25.0.1 from A.B.C.D. To route packets to 172.25.0.1 I am using flow from any to 172.25.0.1 peer W.X.Y.Z This does create appropriate encap entries in the routing tables, but I never see anything hit enc0.
Re: Using PF to NAT internal addresses over an IPSec link
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is :
ike esp from any to 172.25.0.1 peer W.X.Y.Z
Ah, okay. It doesn't look like I have the luxury of simply saying
'from any to IP', since the remote end refuses to set up the SAs
in that case. I will try to get the other end to allow something
like that, since it seems like a MUCH better solution than the rube
goldberg stuff I'm playing with now, but half the reason I'm stuck
is the other guy doesn't return emails...
Never tried to use the flow directives as you did. I suppose that if
as you said you have correct encap routes, packets headed to
172.25.0.1 should definitely go through enc0, then if you set nat on
enc0, it should work as it does for me.
Could you paste and show us the output of netstat -rnf encap and also
if possible your pf.conf ?
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
172.25.0.1/32 0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
A.B.C.D/32 0 172.25.0.1/32 0 0 W.X.Y.Z/esp/require/out
172.25.0.1/32 0 default0 0 W.X.Y.Z/esp/use/in
default0 172.25.0.1/32 0 0 W.X.Y.Z/esp/use/out
The pf.conf is pretty complicated, but the relevant rules that get hit are:
ext_if=bge1
int_if=bge0
vpn_if=enc0
set ruleset-optimization none
set state-policy if-bound
set skip on { lo }
scrub all fragment reassemble reassemble tcp
nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
block drop
pass quick on $vpn_if
pass quick on $int_if
And then there are others that eventually let us out of $ext_if as well.
Re: Using PF to NAT internal addresses over an IPSec link
Toby,
Actually, I was initially using my local subnet address rather than
any, but I realized that if did so, this address could be seen on
the remote vpn server by looking at the flows table.
After setting the from any rule, I realized that, yes it was more or
less working as expected, but it was screwing the internal carp
configuration on the remote side when you use the remote local subnet
as a target rather than 172.25.0.1. So I think it's not a good idea
anyway.
So I decided to try to set it up your way, with a manual flow directive.
I could make it work using something like :
ike esp from A.B.C.D to 172.25.0.1. peer W.X.Y.Z
flow from my.local.subnet to 172.25.0.1 peer W.X.Y.Z type require
(note that I had to set require to make it work)
But again the local subnet appears if you look at the flows on the
remote servers, so that's not what you want.
If I use any in place of my local subnet address, it doesn't work
for some reason I don't understand yet, I am just losing track of my
packets...
So I guess that as you said, you should try to get more informations
about the remote side configuration.
I would still be interested in knowing the clean and mighty way to
hide your local subnet topography.
Maybe using an intermediate local interface may help, as it was
suggested by Marc-Andre.
Regards,
William
2008/8/15 Toby Burress [EMAIL PROTECTED]:
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is :
ike esp from any to 172.25.0.1 peer W.X.Y.Z
Ah, okay. It doesn't look like I have the luxury of simply saying
'from any to IP', since the remote end refuses to set up the SAs
in that case. I will try to get the other end to allow something
like that, since it seems like a MUCH better solution than the rube
goldberg stuff I'm playing with now, but half the reason I'm stuck
is the other guy doesn't return emails...
Never tried to use the flow directives as you did. I suppose that if
as you said you have correct encap routes, packets headed to
172.25.0.1 should definitely go through enc0, then if you set nat on
enc0, it should work as it does for me.
Could you paste and show us the output of netstat -rnf encap and also
if possible your pf.conf ?
Encap:
Source Port DestinationPort Proto
SA(Address/Proto/Type/Direction)
172.25.0.1/32 0 A.B.C.D/32 0 0 W.X.Y.Z/esp/use/in
A.B.C.D/32 0 172.25.0.1/32 0 0
W.X.Y.Z/esp/require/out
172.25.0.1/32 0 default0 0 W.X.Y.Z/esp/use/in
default0 172.25.0.1/32 0 0 W.X.Y.Z/esp/use/out
The pf.conf is pretty complicated, but the relevant rules that get hit are:
ext_if=bge1
int_if=bge0
vpn_if=enc0
set ruleset-optimization none
set state-policy if-bound
set skip on { lo }
scrub all fragment reassemble reassemble tcp
nat on $vpn_if from 192.168.0.0/16 to any - A.B.C.D
nat on $ext_if from 192.168.0.0/16 to any - E.F.G.H
block drop
pass quick on $vpn_if
pass quick on $int_if
And then there are others that eventually let us out of $ext_if as well.
Re: Using PF to NAT internal addresses over an IPSec link
I have the following configuration: LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD I can ping a host from LAN_A to a host on LAN_B I hope this can Help ! Original-Nachricht Datum: Wed, 13 Aug 2008 16:41:20 -0400 Von: Toby Burress [EMAIL PROTECTED] An: misc@openbsd.org Betreff: Using PF to NAT internal addresses over an IPSec link I have an IPSec connection set up to an external site, over which I have no control and whose topololgy I know nothign about (i.e. I don't know what subnets they use, etc.) Using ipsecctl, I have one flow set up, from my external IP A.B.C.D to an internal IP on their side, 172.25.0.1. I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. What I want to do is allow any machine from my internal networks to reach 172.25.0.1. What I would like to do is set up NAT, so that packets headed to the OpenBSD box from anywhere on my network get translated to A.B.C.D, which is then sent over the VPN connection. Unfortunately it looks like PF only applies NAT transforms when packets leave interfaces, not when they enter them, so packets come into the OpenBSD box with their private IPs, get routed out the interface associated with the default route, and only then get rewritten. Is there a better way to do this? I would like to be able to change which hosts on my side can go over the IPSec connection without having to coordinate with the other company, and without having to expose internal IP information. If you reply to the list please cc me as I am not subscribed. -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine f|r Alle: http://www.gmx.net/de/go/messenger03
Re: Using PF to NAT internal addresses over an IPSec link
Hey List ! ... Interesting... I was about to send an e-mail on the list regarding this same question : aka: Best practice on NAT over IPsec... or how to do it correctly ?!?!?!? May I can suggest you to try something... : ( that what I will try anyway somewhere next week or so... ) Create a Loopback interface on one of your BSD and try to NAT on this 'lo' interface ... from that nat, adjust your pf to block all from lan A to lab B except from NAT ...and well, I think it should work ! any other suggestion to try or any ''already working here' ' notes that someone can post ? Regards, M-A Jorge Valbuena wrote: I have the following configuration: LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD I can ping a host from LAN_A to a host on LAN_B I hope this can Help ! Original-Nachricht Datum: Wed, 13 Aug 2008 16:41:20 -0400 Von: Toby Burress [EMAIL PROTECTED] An: misc@openbsd.org Betreff: Using PF to NAT internal addresses over an IPSec link I have an IPSec connection set up to an external site, over which I have no control and whose topololgy I know nothign about (i.e. I don't know what subnets they use, etc.) Using ipsecctl, I have one flow set up, from my external IP A.B.C.D to an internal IP on their side, 172.25.0.1. I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. What I want to do is allow any machine from my internal networks to reach 172.25.0.1. What I would like to do is set up NAT, so that packets headed to the OpenBSD box from anywhere on my network get translated to A.B.C.D, which is then sent over the VPN connection. Unfortunately it looks like PF only applies NAT transforms when packets leave interfaces, not when they enter them, so packets come into the OpenBSD box with their private IPs, get routed out the interface associated with the default route, and only then get rewritten. Is there a better way to do this? I would like to be able to change which hosts on my side can go over the IPSec connection without having to coordinate with the other company, and without having to expose internal IP information. If you reply to the list please cc me as I am not subscribed.
Re: Using PF to NAT internal addresses over an IPSec link
Hi, I tried to reproduce what you want in my testing environment and managed to make it work. What you have to do is : - In your ipsec.conf, add an rule from your local network to the distant 172.25.0.1 (this rule is needed in order to route the traffic to enc0) - Add a nat rule on enc0 in your pf.conf. Something like : nat on enc0 from !($ext_if) - ($ext_if:0) - Note that if you had set a skip on enc0, you should remove it and use something like pass quick on enc0 for the nat to be applied. It works for me, local addresses are nated inside the tunnel and cannot be seen by the remote servers. Feel free to ask if you need more details. Cheers, William 2008/8/15 Marc-Andre Jutras [EMAIL PROTECTED]: Hey List ! ... Interesting... I was about to send an e-mail on the list regarding this same question : aka: Best practice on NAT over IPsec... or how to do it correctly ?!?!?!? May I can suggest you to try something... : ( that what I will try anyway somewhere next week or so... ) Create a Loopback interface on one of your BSD and try to NAT on this 'lo' interface ... from that nat, adjust your pf to block all from lan A to lab B except from NAT ...and well, I think it should work ! any other suggestion to try or any ''already working here' ' notes that someone can post ? Regards, M-A Jorge Valbuena wrote: I have the following configuration: LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD I can ping a host from LAN_A to a host on LAN_B I hope this can Help ! Original-Nachricht Datum: Wed, 13 Aug 2008 16:41:20 -0400 Von: Toby Burress [EMAIL PROTECTED] An: misc@openbsd.org Betreff: Using PF to NAT internal addresses over an IPSec link I have an IPSec connection set up to an external site, over which I have no control and whose topololgy I know nothign about (i.e. I don't know what subnets they use, etc.) Using ipsecctl, I have one flow set up, from my external IP A.B.C.D to an internal IP on their side, 172.25.0.1. I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. What I want to do is allow any machine from my internal networks to reach 172.25.0.1. What I would like to do is set up NAT, so that packets headed to the OpenBSD box from anywhere on my network get translated to A.B.C.D, which is then sent over the VPN connection. Unfortunately it looks like PF only applies NAT transforms when packets leave interfaces, not when they enter them, so packets come into the OpenBSD box with their private IPs, get routed out the interface associated with the default route, and only then get rewritten. Is there a better way to do this? I would like to be able to change which hosts on my side can go over the IPSec connection without having to coordinate with the other company, and without having to expose internal IP information. If you reply to the list please cc me as I am not subscribed.
Using PF to NAT internal addresses over an IPSec link
I have an IPSec connection set up to an external site, over which I have no control and whose topololgy I know nothign about (i.e. I don't know what subnets they use, etc.) Using ipsecctl, I have one flow set up, from my external IP A.B.C.D to an internal IP on their side, 172.25.0.1. I can ping 172.25.0.1 from the OpenBSD box, so IPSec is working fine. What I want to do is allow any machine from my internal networks to reach 172.25.0.1. What I would like to do is set up NAT, so that packets headed to the OpenBSD box from anywhere on my network get translated to A.B.C.D, which is then sent over the VPN connection. Unfortunately it looks like PF only applies NAT transforms when packets leave interfaces, not when they enter them, so packets come into the OpenBSD box with their private IPs, get routed out the interface associated with the default route, and only then get rewritten. Is there a better way to do this? I would like to be able to change which hosts on my side can go over the IPSec connection without having to coordinate with the other company, and without having to expose internal IP information. If you reply to the list please cc me as I am not subscribed.
