tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: How to apply NAT before IPSec on outgoing packets



Here's an update since my last mail: We've applied a patch (attached below) to 
the ip_output.c file in the kernel. 
We copied the part for running the PFIL_HOOKS above the IPSEC- and 
FAST_IPSEC-processing so that NAT shall be applied before IPSec.

Unfortunately the results were somehow confusing. Here's what happens:

Test 1 - Ping from client inside internal LAN to client inside corporate LAN. 
We tcpdump'ed on the external interface of our NetBSD-router on the client 
side. 
Effects we see:
- The IPSec-tunnel is set up correctly (tunnel mode) thanks to racoon
- The NetBSD-router sends encrypted ICMP (destination unreachable) messages 
into the IPSec tunnel with his internal IP NAT'ed and the host 
  residing in the internal LAN as destination (no NAT)
- tcpdump on the internal interface shows that ping-packets are sent to our 
router but nothing is sent back

Test 2 - Ping from client inside internal LAN to internal interface of our 
NetBSD-router (client side). 
In the router's internal interface, we see:
- (tcpdump on the internal interface shows that ping-packets are sent to our 
router with normal speed but nothing is sent back)
What we see on our routers' external interface:
- The IPSec-tunnel is set up correctly, again in tunnel mode
- The NetBSD-router sends this ping encrypted and NAT'ed into the IPSec tunnel, 
and the vpn-gw sends it (also encrypted) back to our router, 
  who's sending the packet back to the vpn-gw and so on (routing loop)
- this results in a flooding of the tunnel until the TTL on the encapsulated 
ping request is expired and the next ping coming from the 
  client is sent into the tunnel starting all this flooding again

One other observation is that we can decrypt the packets from the corporate 
IPsec VPN router to our NetBSD router (using Wireshark),
but that we cannot decrypt the packets going out of our NetBSD router, with the 
data given by "setkey -D".

Does anyone have a good hint here on how to proceed?

On a related note: we've seen that OpenBSD comes with an enc(4) network 
interface dedicated to IPsec traffic, where filter/NAT rules can be applied 
before encrypting and after decrypting. The driver's source is rather short, 
but I guess there are deep interactions with OpenBSD's IPsec implementation. 
Has anyone looked into porting/implementing this framework to/on NetBSD?`


      1 Index: ip_output.c
      2 ===================================================================
      3 RCS file: /cvsroot/src/sys/netinet/ip_output.c,v
      4 retrieving revision 1.200.4.1
      5 diff -u -r1.200.4.1 ip_output.c
      6 --- ip_output.c 9 Jul 2009 19:38:27 -0000       1.200.4.1
      7 +++ ip_output.c 6 Nov 2009 15:39:02 -0000
      8 @@ -505,6 +505,24 @@
      9         /* Remember the current ip_len */
     10         ip_len = ntohs(ip->ip_len);
     11
     12 +#if defined(IPSEC) || defined(FAST_IPSEC)
     13 +#ifdef PFIL_HOOKS
     14 +       /*
     15 +        * Run through list of hooks for output packets before they are 
processed by
     16 +        * IPSEC / FAST_IPSEC. - DZ
     17 +        */
     18 +       if ((error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, 
PFIL_OUT)) != 0)
     19 +               goto done;
     20 +       if (m == NULL)
     21 +               goto done;
     22 +
     23 +       ip = mtod(m, struct ip *);
     24 +       hlen = ip->ip_hl << 2;
     25 +       ip_len = ntohs(ip->ip_len);
     26 +#endif /* PFIL_HOOKS */
     27 +#endif /* defined(IPSEC) || defined(FAST_IPSEC) */
     28 +
     29 +
     30  #ifdef IPSEC
     31         /* get SP for this packet */
     32         if (so == NULL)


Kind regards,
        - Daniel


A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
D.Zebralla%ape-net.com@localhost
http://www.ape-net.com

_______________________________________

A.P.E. GmbH  IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner



Home | Main Index | Thread Index | Old Index