current-users: NAT/GRE and IPsec transport interaction

Subject: NAT/GRE and IPsec transport interaction
To: NetBSD current-users <current-users@netbsd.org>
From: Andreas Wrede <andreas@wrede.ca>
List: current-users
Date: 05/25/2007 19:20:13
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-9--35449259
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

I am seeing packets bypassing a IPsec transport setup and getting  
onto the wire as regular TCP packets, rather than ESP if they are  
passed through either a pf or ipf NAT. The setup:

IPsec transport between two firewalls and GRE tunnel between the same  
two firewalls. PF or IPF nat for local clients behind the fw.

setkey:
add yy.yy.178.223 xx.xx.14.216 esp 1002 -E des-cbc "12345678";
add xx.xx.14.216 yy.yy..178.223 esp 2001 -E des-cbc "12345678";
spdadd yy.yy.178.223 xx.xx.14.216 any -P out ipsec esp/transport// 
require;

if:
gre91: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
         tunnel inet xx.xx.178.223 --> yy.yy.14.216
         inet 10.99.1.1 -> 192.168.6.10 netmask 0xffffffff
         inet6 fe80::211:2fff:fe87:ff1%gre91 ->  prefixlen 64 scopeid  
0x6

pf.conf:
ext_if="tlp0"
nat on $ext_if from !($ext_if) -> ($ext_if:0)

from the xx.xx.178.223 machine, TCP connection to any port on the  
yy.yy.14.216 are IPsec transported in ESP packets:

18:38:45.690572 IP yy.yy.14.216 > xx.xx.178.223: ESP 
(spi=0x000007d1,seq=0x1283)
18:38:45.904351 IP xx.xx.178.223 > yy.yy.14.216: ESP 
(spi=0x000003ea,seq=0x139f)
18:38:45.904374 IP yy.yy.14.216 > xx.xx.178.223: ESP 
(spi=0x000007d1,seq=0x1284)

If a machine on the 10.99.x.x network (ie. the private LAN behind the  
xx.xx.178.223 fw) tries to connect any port on yy.yy.14.216, then the  
traffic is not encapsulated with ESP:

18:38:47.174469 IP xx.xx.178.223.52594 > yy.yy.14.216.9194: S  
334610734:334610734(0) win 65535 <mss 1460,nop,wscale  
0,nop,nop,timestamp 734343791 0,sackOK,eol>

The connections obviously time out, as yy.yy.14.216 does not expect  
non-ESP packets from xx.xx.178.223.

Is this known? A mis-configuration? Or time for a send-pr?

-- 
     aew


--Apple-Mail-9--35449259
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFGV28wEh/h9J/TQyERArcuAKDPsnR6B8X3YCp1EY2zgJ8jhDGavgCgoMea
0tCqJw6oQXreDCyR6ttQDl4=
=lVgw
-----END PGP SIGNATURE-----

--Apple-Mail-9--35449259--