From owner-freebsd-questions Wed Apr 25 0:12:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (wattres.watt.com [205.178.120.6]) by hub.freebsd.org (Postfix) with ESMTP id 1BE4A37B42C for ; Wed, 25 Apr 2001 00:12:37 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.3) id f3P7CbW07323 for questions@freebsd.org; Wed, 25 Apr 2001 00:12:37 -0700 (PDT) (envelope-from steve) Message-Id: <200104250712.f3P7CbW07323@wattres.Watt.COM> In-Reply-To: <200104250652.f3P6qQg06374@wattres.Watt.COM> Organization: Watt Consultants, San Jose, CA, USA From: steve@Watt.COM (Steve Watt) Date: Wed, 25 Apr 2001 00:12:37 -0700 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: questions@freebsd.org Subject: IPsec and natd/divert don't play? was Re: VPN / VLAN configuration Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Steve Watt wrote: [ a longish mini-HOWTO on IPSEC these days ] >If you're dealing with systems that do not have NAT boxes in front of >them, it's surprisingly straightforward: However, I've got a question, as well. It appears that IPsec and divert sockets (and/or natd) don't get along well. My setup joins my internal network to my employer's, with the recipe I laid out in my previous note. Here's a config that works: # ipfw list 65000 allow ip from any to any 65535 deny ip from any to any # I can freely ping through the tunnel, everything is happy. Here's the one that doesn't work, starting from above # ipfw add 215 divert natd all from any to any via xl0 # natd -n xl0 I can no longer ping through the tunnel. It's quite reversable; if I delete the divert rule, I can tunnel, but the clients that need NAT service don't work. Am I missing something? Is there some bug in natd, or an option that I need to feed it? -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message