Date: Wed, 25 Apr 2001 00:12:37 -0700 From: steve@Watt.COM (Steve Watt) To: questions@freebsd.org Subject: IPsec and natd/divert don't play? was Re: VPN / VLAN configuration Message-ID: <200104250712.f3P7CbW07323@wattres.Watt.COM> In-Reply-To: <200104250652.f3P6qQg06374@wattres.Watt.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Watt <steve@watt.com> wrote: [ a longish mini-HOWTO on IPSEC these days ] >If you're dealing with systems that do not have NAT boxes in front of >them, it's surprisingly straightforward: However, I've got a question, as well. It appears that IPsec and divert sockets (and/or natd) don't get along well. My setup joins my internal network to my employer's, with the recipe I laid out in my previous note. Here's a config that works: # ipfw list 65000 allow ip from any to any 65535 deny ip from any to any # I can freely ping through the tunnel, everything is happy. Here's the one that doesn't work, starting from above # ipfw add 215 divert natd all from any to any via xl0 # natd -n xl0 I can no longer ping through the tunnel. It's quite reversable; if I delete the divert rule, I can tunnel, but the clients that need NAT service don't work. Am I missing something? Is there some bug in natd, or an option that I need to feed it? -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104250712.f3P7CbW07323>