From owner-freebsd-net@FreeBSD.ORG Thu Jun 14 20:30:47 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D4B9106566C for ; Thu, 14 Jun 2012 20:30:47 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id 37DA08FC08 for ; Thu, 14 Jun 2012 20:30:47 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id F070825D3887; Thu, 14 Jun 2012 20:30:45 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 2ED5DBE8567; Thu, 14 Jun 2012 20:30:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id gCp0Qs_eP1UA; Thu, 14 Jun 2012 20:30:44 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id DF47ABE8566; Thu, 14 Jun 2012 20:30:43 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <4FDA1483.4090207@rdtc.ru> Date: Thu, 14 Jun 2012 20:30:42 +0000 Content-Transfer-Encoding: 7bit Message-Id: <1EFC4D8F-B195-4BA7-9AE0-7B9CA9C1F2F5@lists.zabbadoz.net> References: <4FDA1483.4090207@rdtc.ru> To: Eugene Grosbein X-Mailer: Apple Mail (2.1084) Cc: "net@freebsd.org" Subject: Re: ip_output: NAT then IPSEC X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 20:30:47 -0000 On 14. Jun 2012, at 16:42 , Eugene Grosbein wrote: > Hi! > > How do I make FreeBSD 8-based router/NAT/security gateway > first perform NAT for outgoing packets then apply IPSEC transport mode > for plain TCP traffic? > > Presently, locally originated packets are encrypted just fine > but routed and NAT-ed packet go out unencrypted. > > I use ipfw nat. You NAT on your inside interface; ipfw can do that; pf cannot, so you are lucky. I have done it about 5-6 years ago. However these is on caveat: you need a SP for both the before-NAT (which you normally do not want) and the after-NAT packets and you usually cannot do that unless you control both sides of the tunnel. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!