Date: Thu, 12 Jan 2012 09:47:05 +0100 From: Alex Dupre <ale@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC Message-ID: <4F0E9E09.9040106@FreeBSD.org> In-Reply-To: <FD78C4CE-B9A8-4541-8A67-BDD75C626D0A@lists.zabbadoz.net> References: <4F0DD127.4040205@FreeBSD.org> <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> <4F0E8BC8.2020703@FreeBSD.org> <FD78C4CE-B9A8-4541-8A67-BDD75C626D0A@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb ha scritto: > If you are using tunnel mode and gif you'll have trouble; just use tunnel mode without gif and you'll be happy. Done, it works and I see all packets on enc0 now, thanks. > It's because (our) pf cannot NAT on incoming but only on outgoing interfaces. And you need to NAT on packet entry into the system... I found a setup that seems to work in my scenario with pf, but I'm not sure it's 100% correct. Basically I added nat on enc0 and then added a new policy including my internal lan. Scenario: - virtual ip (where nat takes place): 172.22.0.5 - internal lan: 192.168.2.0/24 - other lan: 172.28.0.0/16 In pf.conf I added: nat on enc0 from 192.168.2.0/24 to any -> 172.22.0.5 In setkey.conf I added: spdadd 192.168.2.0/24 172.28.0.0/16 any -P out ipsec esp/tunnel/MYEXTIP-OTHEREXTIP/require; in addition to the "standard": pdadd 172.28.0.0/16 172.22.0.5/32 any -P in ipsec esp/tunnel/OTHEREXTIP-MYEXTIP/require; spdadd 172.22.0.5/32 172.28.0.0/16 any -P out ipsec esp/tunnel/MYEXTIP-OTHEREXTIP/require; I'm searching for trouble or is it correct? -- Alex Dupre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F0E9E09.9040106>