From owner-freebsd-net@FreeBSD.ORG Thu Jan 12 07:29:18 2012 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5C74106566B for ; Thu, 12 Jan 2012 07:29:18 +0000 (UTC) (envelope-from ale@FreeBSD.org) Received: from lab.alexdupre.com (alexdupre-1-pt.tunnel.tserv23.zrh1.ipv6.he.net [IPv6:2001:470:25:450::2]) by mx1.freebsd.org (Postfix) with ESMTP id 141FE8FC16 for ; Thu, 12 Jan 2012 07:29:17 +0000 (UTC) Received: (qmail 14027 invoked from network); 12 Jan 2012 07:29:16 -0000 Received: from atom.alexdupre.com (HELO ?192.168.178.12?) (sysadmin@alexdupre.com@192.168.178.12) by lab.alexdupre.com with ESMTPSA; 12 Jan 2012 07:29:16 -0000 Message-ID: <4F0E8BC8.2020703@FreeBSD.org> Date: Thu, 12 Jan 2012 08:29:12 +0100 From: Alex Dupre User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0.1) Gecko/20111221 Firefox/9.0.1 SeaMonkey/2.6.1 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <4F0DD127.4040205@FreeBSD.org> <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> In-Reply-To: <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 07:29:18 -0000 Bjoern A. Zeeb ha scritto: > Need more input. A) why are using gif? B) are you using transport mode? I'm using gif, because the official FreeBSD documentation says so (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html). My configuration is very similar to what described in that page. If that's not the correct way, I'll fix the documentation after understanding the right procedure. I'm using tunnel mode for network to network vpn. > NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter. Can you elaborate a little more about the reason ipfw can and pf cannot? Is it because with ipfw/nat the packet is reinjected with the translated src IP and so matched by SPD? Currently, with my setup and pf, I faced exactly these two problems (SPD match before translation and i/o on different interfaces). I think it's not so uncommon that the two networks may collide, so assigning a "good" ip to one endpoint gateway and making NAT on it should be well documentated in our handbook. If you give me a hint on how this could be achieved with ipfw I'll update the docs accordingly. Thanks for your support. -- Alex Dupre