Date: Thu, 14 Jun 2012 20:30:42 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Eugene Grosbein <egrosbein@rdtc.ru> Cc: "net@freebsd.org" <net@freebsd.org> Subject: Re: ip_output: NAT then IPSEC Message-ID: <1EFC4D8F-B195-4BA7-9AE0-7B9CA9C1F2F5@lists.zabbadoz.net> In-Reply-To: <4FDA1483.4090207@rdtc.ru> References: <4FDA1483.4090207@rdtc.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14. Jun 2012, at 16:42 , Eugene Grosbein wrote: > Hi! > > How do I make FreeBSD 8-based router/NAT/security gateway > first perform NAT for outgoing packets then apply IPSEC transport mode > for plain TCP traffic? > > Presently, locally originated packets are encrypted just fine > but routed and NAT-ed packet go out unencrypted. > > I use ipfw nat. You NAT on your inside interface; ipfw can do that; pf cannot, so you are lucky. I have done it about 5-6 years ago. However these is on caveat: you need a SP for both the before-NAT (which you normally do not want) and the after-NAT packets and you usually cannot do that unless you control both sides of the tunnel. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1EFC4D8F-B195-4BA7-9AE0-7B9CA9C1F2F5>