Date: Mon, 25 Feb 2002 22:31:39 +0100 From: Alex Kiesel <freebsd@document-root.de> To: Nick Rogness <nick@rogness.net> Cc: Alex Kiesel <freebsd@document-root.de>, freebsd-questions@FreeBSD.ORG Subject: Re: IpSec behind NAT Message-ID: <20020225213139.GA16130@schlund.de> In-Reply-To: <Pine.BSF.4.21.0202251113510.56670-100000@cody.jharris.com> References: <20020224130534.GA8465@schlund.de> <Pine.BSF.4.21.0202251113510.56670-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 25, 2002, Nick Rogness wrote: > The simple solution is to NOT NAT ipsec packets. You don't need > to and really don't want to. Are you using gif tunnels or not?a No, I'm not using gif tunnels. Should I? > Add the firewalling for these hosts "around" the divert rule so > IPSec packets don't hit the natd divert rule. [If you are using > ipfw]. On the way to the other subnet this is clear, because here my SPD does choose the right destination. When the answer to my request hits my firewall, it does not know where to forward it to. So it never arrives. I think I have to do some kind of NAT for this. The problem is, I don't have any idea which way the ESP and AH packets go inside the firewall. I guess the kernel decrypts the packet and injects it into the "firewalling code". Do you have a more detailled plan? Thanks, Alex -- Alex Kiesel PGP Key: 0x09F4FA11 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020225213139.GA16130>