From owner-freebsd-net@FreeBSD.ORG Thu Jun 14 20:21:57 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7EA6106564A for ; Thu, 14 Jun 2012 20:21:57 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7EFE38FC17 for ; Thu, 14 Jun 2012 20:21:57 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so1591746vcb.13 for ; Thu, 14 Jun 2012 13:21:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=R8BI57VygRzMg3fh7tJIkc/788EYzZo1cfHGlGnVBMw=; b=Q9UaE0e5dFFVn4dL7RfXDAWHaO+UiaJzhOLr8aeGcsq2h8yM21i1ZkNUjBAYMYh5or 2CsYiAK+MbfnPq1TiKuiCE+0Q5BKuNdYAUIYlvpYGP3/xKlb4IEZG6d+cuIUHk8awe3r /mDGPXwvqBcymHSzEJUkpSpEZKRnPfB0j61xDS+aGHZH/n5fGYi/p4s7lYJX4SSMWKU+ RlBze3NQvZLLydnoSokVilV9czwruL0OweTsX3s8zE7Wwbl+K8GEV+52XCgrsXbApLz6 o98nbW0Dk9fcAg5BGxjnxR0MTbJeYofDLylBAdEqZFAjmTOewvzOhqyMiP6f/kdqGXNR iDZw== MIME-Version: 1.0 Received: by 10.52.72.79 with SMTP id b15mr1469459vdv.13.1339705316664; Thu, 14 Jun 2012 13:21:56 -0700 (PDT) Received: by 10.52.106.166 with HTTP; Thu, 14 Jun 2012 13:21:56 -0700 (PDT) In-Reply-To: <4FDA1483.4090207@rdtc.ru> References: <4FDA1483.4090207@rdtc.ru> Date: Thu, 14 Jun 2012 13:21:56 -0700 Message-ID: From: Michael Sierchio To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmnDpJW4nuiU3e4TFYWU3G3d+TrkrE0h2Ho9lEIZt1rJ8rIgzr/7LoEgqzVpwXgw4Cfk7Jv Cc: "net@freebsd.org" Subject: Re: ip_output: NAT then IPSEC X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 20:21:57 -0000 On Thu, Jun 14, 2012 at 9:42 AM, Eugene Grosbein wrote: > How do I make FreeBSD 8-based router/NAT/security gateway > first perform NAT for outgoing packets then apply IPSEC transport mode > for plain TCP traffic? Forgive me, but I have to ask - why? IPsec implies pairwise association, and relies on a tunnel - which means that each side knows both tunnel endpoints and both internal networks. What do you hope to accomplish with NAT? - M