From owner-freebsd-questions Tue Dec 7 17:42:21 1999 Delivered-To: freebsd-questions@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id E8B1514D07 for ; Tue, 7 Dec 1999 17:42:18 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id EA52321D for ; Tue, 7 Dec 1999 19:42:14 -0600 (CST) Message-ID: <384DB776.FCC265FC@ahpcns.com> Date: Wed, 08 Dec 1999 01:42:14 +0000 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: "questions@freebsd.org" Subject: Re: can IPFW & NAT co-exist with kame IPSEC? References: <199912070458.MAA00905@netrinsics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Does pipsecd work with ethernet interfaces or is it specifically for PPP? Michael Robinson wrote: > jomor writes: > >I want to add support for kame IPSEC (for net-to-net tunnelling) > >capability to my existing firewall/NAT box. The box is running freebsd > >3.3-STABLE. I am networking with IP-V4 and don't want to go to V6 at > >this time. Does anyone know if this is possible? > > I don't know if it's possible, but I *do* know it's possible to use > ipfilter+ipnat+pipsecd to achieve the same functionality on one box. > > (And, with a few tricks, also userland ppp, to get a dial-on-demand VPN.) > > >If it's possible, what firewall > >rule modifications do I need so tunnel-bound traffic doesn't get NAT'ed? > > Tunnel-bound traffic with pipsecd is routed to a separate tun device from the > ipnat interface, so this isn't a problem. Tunnel packets appear as esp > packets originating from the gateway interface. > > -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message