Date: Thu, 12 Jan 2012 07:55:42 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Alex Dupre <ale@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC Message-ID: <FD78C4CE-B9A8-4541-8A67-BDD75C626D0A@lists.zabbadoz.net> In-Reply-To: <4F0E8BC8.2020703@FreeBSD.org> References: <4F0DD127.4040205@FreeBSD.org> <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> <4F0E8BC8.2020703@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12. Jan 2012, at 07:29 , Alex Dupre wrote: > Bjoern A. Zeeb ha scritto: >> Need more input. A) why are using gif? B) are you using transport = mode? >=20 > I'm using gif, because the official FreeBSD documentation says so = (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html). = My configuration is very similar to what described in that page. If = that's not the correct way, I'll fix the documentation after = understanding the right procedure. It's not and hasn't been in ... I think there was someone fixing the = documentation actually lately... I'll ping people and see where that = went. > I'm using tunnel mode for network to network vpn. If you are using tunnel mode and gif you'll have trouble; just use = tunnel mode without gif and you'll be happy. >> NAT before IPSEC can be done with ipfw, not with pf, don't know about = ipfilter. >=20 > Can you elaborate a little more about the reason ipfw can and pf = cannot? Is it because with ipfw/nat the packet is reinjected with the = translated src IP and so matched by SPD? Currently, with my setup and = pf, I faced exactly these two problems (SPD match before translation and = i/o on different interfaces). It's because (our) pf cannot NAT on incoming but only on outgoing = interfaces. And you need to NAT on packet entry into the system... > I think it's not so uncommon that the two networks may collide, so = assigning a "good" ip to one endpoint gateway and making NAT on it = should be well documentated in our handbook. If you give me a hint on = how this could be achieved with ipfw I'll update the docs accordingly. The answer is use IPv6 and ... oh wait.. not the answer you wanted to = hear;) I haven't done it in probably 5 years or so now but basically you setup = the nat on the incoming (probably your inside) interface and take care = of localhost as much as needed. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FD78C4CE-B9A8-4541-8A67-BDD75C626D0A>