PF + IPSEC + NAT

[Daniel Santos]

Hello all,

I am struggling here to get a working site-to-site VPN on FreeBSD 10.3-RELEASE-p24. At first I installed security/strongswanfrom ports (version 5.6.0), and it would not even load its configured connections. So I decided to manually compile security/strongswan 5.5.3 version and brought the tunnel up.
I have the following kernel configuration:

#IPSEC VPN Support
options         TCP_SIGNATURE
options         IPSEC           #IP security
device          crypto
device          enc
options         IPSEC_DEBUG     #debug for IP security
options         IPSEC_NAT_T

Here is ipsec.conf:

config setup

conn %default
        ikelifetime=86400s
        lifetime=3600s
        authby=psk
        keyexchange=ikev1
        mobike=no
        keyingtries = 3
        auto = route
        ike = aes256-sha1-modp2048!
        esp = aes256-sha1!,aes128-sha1!

conn MY_CONN
 ikelifetime=3600s
 lifetime=3600s
 keyexchange=ikev1
 leftid=200.169.26.31
 left=200.169.26.31
 leftsubnet=10.180.0.0/27
 right=200.132.64.2
 rightsubnet=200.18.76.99
 compress=no

Here is my ipsec status relevant output:

Security Associations (1 up, 0 connecting):
  MY_CONN[2]: ESTABLISHED 9 seconds ago, x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y.y]
  MY_CONN[2]: IKEv1 SPIs: 0f1a67bfb48a80cd_i* 46a823d1f888067e_r, pre-shared key reauthentication in 44 minutes
  MY_CONN[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

The thing is I want to use 10.180.0.0/27 as a masquerading network. As I could not get NAT to work IPSEC and I just need one single TCP connection to work, I am trying to use net/tcpproxy to get the job done.

So my clients connect to IP X port A and net/tcpproxy connects to remote IP Y port B through the VPN. I have a similiar configuration up and running elsewhere, but its not working this time. enc0 shows no traffic at all.