Date: Sun, 24 Feb 2002 14:05:34 +0100 From: Alex Kiesel <freebsd@document-root.de> To: freebsd-questions@freebsd.org Subject: IpSec behind NAT Message-ID: <20020224130534.GA8465@schlund.de>
next in thread | raw e-mail | index | archive | help
Hi,
I am trying to setup a Host-to-Subnet IPsec-Tunnel. The basic
configuration does work, as I can ping any host on the subnet from my
single "road-warrior"-host.
Host1 subnetxyz
\ /
Host2 - Roadwarrior --- INTERNET --- IPsec-Gw - subnetxxx
/ \
Host3 subnetbla
Host1,2,3 all have private ip addresses 192.168.1.x
Subnets have distinct ip-addresses e.g. 172.17.x.x
Being logged in to Roadwarrior I can ping to any host on any of those
subnets, which I conclude from that my basic setup does work.
But the roadwarrior is my nets firewall, so working from there is not
what I want to do. I want to work from Host1. When I ping any host on
a right subnet, I can see following things:
- the ping gets nat'ed to my public ip-address [which is ok]
- the ping gets encrypted and is sent to the ipsec-gw. [ok]
- the ping reaches the destination host, and he answeres
- the answer travels back over the encrypted tunnel to my roadwarrior
- the packet even gets through my natd, but the destination address is
not rewritten to my host1 ip-address, so does not reach me.
I have to add that the remote gateway does only permit
host-to-subnet-tunnel, so that I have to do nat. The problem is simply
that the received packets do not get rewritten...
Did anyone have had such a problem? Any help is appreciated :)
Thanks,
Alex
--
Alex Kiesel PGP Key: 0x09F4FA11
Todays excuse: A star wars satellite accidently blew up the WAN.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224130534.GA8465>