Date: Thu, 24 Aug 2017 11:38:37 +0200 (CEST) From: Jimmy Olgeni <olgeni@olgeni.com> To: freebsd-net@freebsd.org Subject: NAT-before-ipsec using if_ipsec Message-ID: <alpine.BSF.2.21.1708241128100.3680@backoffice.local>
next in thread | raw e-mail | index | archive | help
Hi,
I came up with a working setup of if_ipsec, and was wondering if now
it would be possible to perform NAT before ipsec using the resulting
'ipsec0' interface.
The native PF solution seemed to be this:
nat on ipsec0 from 172.30.1.1/28 to any -> 172.30.1.1
But while it works on external interfaces, it does nothing for ipsec.
If ipsec is already up, pinging to the other side does not work; if
the ping causes racoon to negotiate, then it will fail as if it's
trying to negotiate an invalid encryption domain (?)
Are additional SPD entries needed specifically for NAT?
--
jimmy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.21.1708241128100.3680>