Project

General

Profile

Actions
Copy link

Bug #12023

closed

Mobile IPsec NAT/BINAT entries missing from firewall rules

Added by Chris Linstruth over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
2.6.0
Start date:
06/10/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Adding a NAT or BINAT to a mobile IPsec configuration does not work.

The nat rules are not added to the pf configuration.

This is true for 1:1 and Many:1

Actions
Copy link
 #1

Updated by Jim Pingle over 3 years ago

  • Target version set to 2.6.0
  • Plus Target Version set to 21.09

Noting here what I mentioned on Slack:

  • This is likely due to the fact that the "remote" network on mobile P2s is from the mobile settings and not defined inside the P2.
  • The logic building the 1:1 NAT rules may be skipping these either because the remote is empty, or because it's mobile, or both.
  • This could work for well-defined mobile address pools (maybe not per-user pools, though), but definitely isn't viable for RADIUS-assigned addresses since there is no way for the firewall to know what those are.
Actions
Copy link
 #2

Updated by Chris Linstruth over 3 years ago

Documenting a possible workaround:

If you have the following Mobile IPsec configuration:

Mobile Virtual Address Pool: 172.16.17.0/24
Mobile Phase 2 Local Network: 192.168.1.0/24
Mobile Phase 2 BINAT Network: 10.11.12.0/24

You can leave that configuration in IPsec (to make the traffic interesting to IPsec) and add the following 1:1 NAT entry in Firewall > NAT, 1:1

Interface: IPsec
External Subnet IP: 10.11.12.0
Internal network: 192.168.1.0/24
Destination network: 172.16.17.0/24

That will give you this in the rule set:

binat on enc0 inet from 192.168.1.0/24 to 172.16.17.0/24 -> 10.11.12.0/24

Actions
Copy link
 #4

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #5

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions
Copy link
 #6

Updated by Viktor Gurov over 3 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #7

Updated by Danilo Zrenjanin over 3 years ago

  • Status changed from Feedback to Resolved

Tested on the:

2.6.0-DEVELOPMENT (amd64)
built on Mon Jul 26 14:27:42 EDT 2021
FreeBSD 12.2-STABLE

Works for both 1:1 and Many:1.

Ticket resolved.

Actions
Copy link
 #8

Updated by Jim Pingle about 3 years ago

  • Subject changed from Mobile IPsec NAT/BINAT rules not inserted into pf rule set to Mobile IPsec NAT/BINAT entries missing from firewall rules

Updating subject for release notes.

Actions
Copy link
 #9

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions
Copy link

Also available in: Atom PDF