Date: Thu, 14 Jun 2012 20:30:42 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Eugene Grosbein <egrosbein@rdtc.ru> Cc: "net@freebsd.org" <net@freebsd.org> Subject: Re: ip_output: NAT then IPSEC Message-ID: <1EFC4D8F-B195-4BA7-9AE0-7B9CA9C1F2F5@lists.zabbadoz.net> In-Reply-To: <4FDA1483.4090207@rdtc.ru>
index | next in thread | previous in thread | raw e-mail
On 14. Jun 2012, at 16:42 , Eugene Grosbein wrote: > Hi! > > How do I make FreeBSD 8-based router/NAT/security gateway > first perform NAT for outgoing packets then apply IPSEC transport mode > for plain TCP traffic? > > Presently, locally originated packets are encrypted just fine > but routed and NAT-ed packet go out unencrypted. > > I use ipfw nat. You NAT on your inside interface; ipfw can do that; pf cannot, so you are lucky. I have done it about 5-6 years ago. However these is on caveat: you need a SP for both the before-NAT (which you normally do not want) and the after-NAT packets and you usually cannot do that unless you control both sides of the tunnel. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1EFC4D8F-B195-4BA7-9AE0-7B9CA9C1F2F5>