From owner-freebsd-questions  Mon Feb 25 13:31:56 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mout01.kundenserver.de (mout01.kundenserver.de [195.20.224.132])
	by hub.freebsd.org (Postfix) with ESMTP id C670237B405
	for <freebsd-questions@freebsd.org>; Mon, 25 Feb 2002 13:31:50 -0800 (PST)
Received: from [195.20.224.148] (helo=mxintern.kundenserver.de)
	by mout01.kundenserver.de with esmtp (Exim 2.12 #2)
	id 16fSih-0005M4-00
	for freebsd-questions@freebsd.org; Mon, 25 Feb 2002 22:31:39 +0100
Received: from [172.17.29.6] (helo=alex.i.schlund.de)
	by mxintern.kundenserver.de with smtp (Exim 2.12 #3)
	id 16fSih-0002Vq-00
	for freebsd-questions@FreeBSD.ORG; Mon, 25 Feb 2002 22:31:39 +0100
Received: (qmail 16200 invoked by uid 519); 25 Feb 2002 21:31:39 -0000
Date: Mon, 25 Feb 2002 22:31:39 +0100
From: Alex Kiesel <freebsd@document-root.de>
To: Nick Rogness <nick@rogness.net>
Cc: Alex Kiesel <freebsd@document-root.de>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: IpSec behind NAT
Message-ID: <20020225213139.GA16130@schlund.de>
References: <20020224130534.GA8465@schlund.de> <Pine.BSF.4.21.0202251113510.56670-100000@cody.jharris.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0202251113510.56670-100000@cody.jharris.com>
User-Agent: Mutt/1.3.27i
X-Binford: 6100 (more power)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Feb 25, 2002, Nick Rogness wrote:
> 	The simple solution is to NOT NAT ipsec packets.  You don't need
> 	to and really don't want to.  Are you using gif tunnels or not?a

No, I'm not using gif tunnels. Should I?

> 	Add the firewalling for these hosts "around" the divert rule so
> 	IPSec packets don't hit the natd divert rule. [If you are using
> 	ipfw].

On the way to the other subnet this is clear, because here my SPD does
choose the right destination.

When the answer to my request hits my firewall, it does not know where
to forward it to. So it never arrives. I think I have to do some kind of
NAT for this. The problem is, I don't have any idea which way the ESP
and AH packets go inside the firewall. I guess the kernel decrypts the
packet and injects it into the "firewalling code".

Do you have a more detailled plan?

Thanks,
Alex

-- 
Alex Kiesel                                     PGP Key: 0x09F4FA11

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message