From owner-freebsd-questions Fri Apr 13 16:53:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (spare78.biz.net [208.177.80.78]) by hub.freebsd.org (Postfix) with ESMTP id 6A98B37B423 for ; Fri, 13 Apr 2001 16:53:10 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.2) id f3DNr8B82866 for questions@freebsd.org; Fri, 13 Apr 2001 16:53:08 -0700 (PDT) (envelope-from steve) Message-Id: <200104132353.f3DNr8B82866@wattres.Watt.COM> From: steve@Watt.COM (Steve Watt) Date: Fri, 13 Apr 2001 16:53:07 -0700 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: questions@freebsd.org Subject: IPsec painful setup... Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've got a situation where I'm trying to set up an IPsec ESP tunnel to a box that's on the far side of a NAT box. I've successfully set up an IPsec tunnel to my box at home, but it's smart enough to have a routable IP address on one interface, unlike this other situation. Here's a picture of what I'm trying; maybe someone can help: (internal net A) (DSL line) +---------+ | +---------+ | +-------------+ | FreeBSD | v | | v | Other IPsec | | box +---+ NAT rtr +-- inet --+ capable +--- internal net B | ("A") | | | | router | +---------+ +---------+ +-------------+ Because it's a DSL line from the NATing router, I can't just hook up the network interface with the routable address to box A. The starting configuration is pretty much as described in the IPsec mini-howto on DaemonNews. So, the questions are as follows: 1. What address should I configure the local part of gif0 with? The one associated with the DSL line, or the (static) NATted address of box A? 2. Same question, but in the SPD 3. Will I need to consume an extra subnet for the internal address of gif0, or put it on internal net B's range (with a proxy arp), or ...? I can't seem to locate anything that provides adequate clues in this area; maybe I'm just SOL and need to upgrade the NAT rtr? Thanks, -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message