[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Interactions of NAT, gre(4) and IPsec [was: Re: reverse processing order: NAT, IPsec ?]
Short: Does anyone use a gre-with-nat-over-ipsec setup that they'd like to
share the config?
I've made another stab at this, and run into some unexpected effects.
The setup I have (full version appended below):
home-LAN -> RouterA -> Internet -> RouterB -> office-LAN
I have a gre(4) tunnel between the home-LAN and the office-LAN, using
inside addresses of RouterA and RouterB as the gre(4) endpoints.
This follows the "create link between two private networks" example in
Adding NAT on RouterA's gre interface went fine: Changes that I made are
using the NATted address for RouterA's endpoint in both gre configs,
setting a bimap rule in IPfilter, and adding a route to RouterB to route
the NAT network (not the home network) to RouterA. With that, I see NATed
packets arrive at RouterB, and routing to the office-LAN works like a
breeze in both directions.
After adding NAT was surprisingly painless, I expected that securing the
transport for the GRE tunnel with IPsec would be too: adding
point-to-point encryption between the external addresses of the routers.
For starters I chose static keys via setkey(8), no racoon (yet). As the
gif(4) interfaces aren't involved in encrypting the point-to-point
connection between the routers, I didn't expect any problems.
What I see is sort of a routing loop between the routers where RouterB
sends an answer to RouterA, but RouterA doesn't know what to do with
the packet, so sends it back to RouterB. Which thinks it's for Router A,
which loops a number of times.
Playing with the link1 flag on the gre tunnels, adding more routes and NAT
rules on RouterA didn't result in any useful results (yet), and again I
wonder if this is some funny interaction between NAT and IPsec?
Does anyone use a gre-with-nat-over-ipsec setup that they'd like to share
Here is the detailled config that I use for NAT & GRE without IPsec
(I'm doing this inside a VMware Team environment for now, hence the
funny "Internet" IPs):
Home-LAN Internet Office-LAN
Home-PC ---------- RouterA ----------- RouterB ------------ Office-PC
192.168.11.3 Home: 192.168.11.2 Office: 10.22.22.1 10.22.22.3
Internet: 10.11.11.2 Internet: 10.11.11.1
gre0: 10.253.253.2 gre0: 10.22.22.1
Config Home-LAN: 192.168.11.0/24, NATted to 10.253.253.0/24
Config Office-LAN: 10.22.22.0/24
Internet (Transport network): 10.11.11.0/24
net_interfaces="pcn0 pcn1 gre0"
ifconfig_gre0="10.253.253.2/24 10.22.22.1 tunnel 10.11.11.2 10.11.11.1
pass in from any to any
pass out from any to any
bimap gre0 192.168.11.0/24 -> 10.253.253.0/24
net_interfaces="pcn0 pcn1 gre0"
ifconfig_gre0="10.22.22.1/24 10.253.253.2 tunnel 10.11.11.1 10.11.11.2
net 10.253.253.0/24 10.253.253.2
net default 10.22.22.1
* On Home-PC: ping 10.22.22.3
* On Office-PC: ping 10.253.253.3
* Both testcases work with the above configuration, but fail
with a routing loop where RouterA sends back packets to RouterB
instead of performing NAT and forwarding them to the home-LAN when
adding SAs and SPDs for encryption between 10.11.11.1 and 10.11.11.2.
Main Index |
Thread Index |