All -
How can I do NAT/PAT over IPsec.
To explain more. I have 4 hosts in 2 different networks (10.200.0/22
and 10.57.132/24). They are 10.57.132.18, 10.57.132.24, 10.57.132.41
and 10.200.1.208. When these hosts access 10.200.200/24,
10.200.136/24, 10.200.205/24 and 10.200.132/24 I want to NAT them to
207.129.36.65.
My IPsec policies are
ike esp from { 207.129.36.65 } to { 10.200.200/24, 10.200.136/24,
10.200.205/25, 10.200.132/24 } \
local X.X.X.X ...
...
psk "ZZZZZZZZZ"
My IPsec tunnels are up, however I have trouble NAT'ing.
I followed some pointers given in ipsec(4),
NAT can also be applied to enc# interfaces, but special care
should be
taken because of the interactions between NAT and the IPsec flow
match-
ing, especially on the packet output path. Inside the TCP/IP
stack,
packets go through the following stages:
UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
UL/R <-------- PF/NAT(enc0) <- IPsec <- PF/NAT(IF) <- IF
With IF being the real interface and UL/R the Upper Layer or
Routing
code. The [X] stage on the output path represents the point
where the
packet is matched against the IPsec flow database (SPD) to
determine if
and how the packet has to be IPsec-processed. If, at this
point, it is
determined that the packet should be IPsec-processed, it is
processed by
the PF/NAT code. Unless PF drops the packet, it will then be
IPsec-pro-
cessed, even if the packet has been modified by NAT.
and this email thread, http://marc.info/?l=openbsd-misc&m=121866081214667&w=2
My pf.conf snippet:
table <MY_HOSTS> persist { \
10.57.132.18, \
10.57.132.24, \
10.57.132.41. \
10.200.1.208 }
table <OTHER_HOSTS> persist { \
10.200.200/24, \
10.200.136/24, \
10.200.205/24, \
10.200.132/24 }
NAT_IP = "207.129.36.65"
enc_if = "enc0"
nat on $enc_if from <MY_HOSTS> to <OTHER_HOSTS> -> $NAT_IP
pass quick on $enc_if
...
I had set skip on $enc_if, which I removed following the above thread.
Any pointers?
Thanks!
Prabhu
-
