tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: How to apply NAT before IPSec on outgoing packets
Here's an update since my last mail: We've applied a patch (attached below) to
the ip_output.c file in the kernel.
We copied the part for running the PFIL_HOOKS above the IPSEC- and
FAST_IPSEC-processing so that NAT shall be applied before IPSec.
Unfortunately the results were somehow confusing. Here's what happens:
Test 1 - Ping from client inside internal LAN to client inside corporate LAN.
We tcpdump'ed on the external interface of our NetBSD-router on the client
side.
Effects we see:
- The IPSec-tunnel is set up correctly (tunnel mode) thanks to racoon
- The NetBSD-router sends encrypted ICMP (destination unreachable) messages
into the IPSec tunnel with his internal IP NAT'ed and the host
residing in the internal LAN as destination (no NAT)
- tcpdump on the internal interface shows that ping-packets are sent to our
router but nothing is sent back
Test 2 - Ping from client inside internal LAN to internal interface of our
NetBSD-router (client side).
In the router's internal interface, we see:
- (tcpdump on the internal interface shows that ping-packets are sent to our
router with normal speed but nothing is sent back)
What we see on our routers' external interface:
- The IPSec-tunnel is set up correctly, again in tunnel mode
- The NetBSD-router sends this ping encrypted and NAT'ed into the IPSec tunnel,
and the vpn-gw sends it (also encrypted) back to our router,
who's sending the packet back to the vpn-gw and so on (routing loop)
- this results in a flooding of the tunnel until the TTL on the encapsulated
ping request is expired and the next ping coming from the
client is sent into the tunnel starting all this flooding again
One other observation is that we can decrypt the packets from the corporate
IPsec VPN router to our NetBSD router (using Wireshark),
but that we cannot decrypt the packets going out of our NetBSD router, with the
data given by "setkey -D".
Does anyone have a good hint here on how to proceed?
On a related note: we've seen that OpenBSD comes with an enc(4) network
interface dedicated to IPsec traffic, where filter/NAT rules can be applied
before encrypting and after decrypting. The driver's source is rather short,
but I guess there are deep interactions with OpenBSD's IPsec implementation.
Has anyone looked into porting/implementing this framework to/on NetBSD?`
1 Index: ip_output.c
2 ===================================================================
3 RCS file: /cvsroot/src/sys/netinet/ip_output.c,v
4 retrieving revision 1.200.4.1
5 diff -u -r1.200.4.1 ip_output.c
6 --- ip_output.c 9 Jul 2009 19:38:27 -0000 1.200.4.1
7 +++ ip_output.c 6 Nov 2009 15:39:02 -0000
8 @@ -505,6 +505,24 @@
9 /* Remember the current ip_len */
10 ip_len = ntohs(ip->ip_len);
11
12 +#if defined(IPSEC) || defined(FAST_IPSEC)
13 +#ifdef PFIL_HOOKS
14 + /*
15 + * Run through list of hooks for output packets before they are
processed by
16 + * IPSEC / FAST_IPSEC. - DZ
17 + */
18 + if ((error = pfil_run_hooks(&inet_pfil_hook, &m, ifp,
PFIL_OUT)) != 0)
19 + goto done;
20 + if (m == NULL)
21 + goto done;
22 +
23 + ip = mtod(m, struct ip *);
24 + hlen = ip->ip_hl << 2;
25 + ip_len = ntohs(ip->ip_len);
26 +#endif /* PFIL_HOOKS */
27 +#endif /* defined(IPSEC) || defined(FAST_IPSEC) */
28 +
29 +
30 #ifdef IPSEC
31 /* get SP for this packet */
32 if (so == NULL)
Kind regards,
- Daniel
A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
D.Zebralla%ape-net.com@localhost
http://www.ape-net.com
_______________________________________
A.P.E. GmbH IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner
Home |
Main Index |
Thread Index |
Old Index