From owner-freebsd-net@FreeBSD.ORG  Fri Jun 15 04:33:42 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 73AC31065675
	for <net@freebsd.org>; Fri, 15 Jun 2012 04:33:42 +0000 (UTC)
	(envelope-from egrosbein@rdtc.ru)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [62.231.161.221])
	by mx1.freebsd.org (Postfix) with ESMTP id CB78C8FC0C
	for <net@freebsd.org>; Fri, 15 Jun 2012 04:33:41 +0000 (UTC)
Received: from eg.sd.rdtc.ru (localhost [127.0.0.1])
	by eg.sd.rdtc.ru (8.14.5/8.14.5) with ESMTP id q5F4XcYW014554;
	Fri, 15 Jun 2012 11:33:39 +0700 (NOVT)
	(envelope-from egrosbein@rdtc.ru)
Message-ID: <4FDABB22.9040305@rdtc.ru>
Date: Fri, 15 Jun 2012 11:33:38 +0700
From: Eugene Grosbein <egrosbein@rdtc.ru>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU;
	rv:1.9.2.13) Gecko/20110112 Thunderbird/3.1.7
MIME-Version: 1.0
To: Michael Sierchio <kudzu@tenebras.com>
References: <4FDA1483.4090207@rdtc.ru>
	<CAHu1Y729B-nRw2Y8zp8Jj8YfxuC71aFF5Eus5nYJ-F3u9EX10g@mail.gmail.com>
In-Reply-To: <CAHu1Y729B-nRw2Y8zp8Jj8YfxuC71aFF5Eus5nYJ-F3u9EX10g@mail.gmail.com>
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 8bit
Cc: "net@freebsd.org" <net@freebsd.org>
Subject: Re: ip_output: NAT then IPSEC
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 04:33:42 -0000

15.06.2012 03:21, Michael Sierchio пишет:
> On Thu, Jun 14, 2012 at 9:42 AM, Eugene Grosbein <egrosbein@rdtc.ru> wrote:
> 
>> How do I make FreeBSD 8-based router/NAT/security gateway
>> first perform NAT for outgoing packets then apply IPSEC transport mode
>> for plain TCP traffic?
> 
> Forgive me, but I have to ask - why?
> 
> IPsec implies pairwise association, and relies on a tunnel - which
> means that each side knows both tunnel endpoints and both internal
> networks.  What do you hope to accomplish with NAT?

I have a TCP-service inside local network that is accessable
for a couple of external hosts via NAT port forwarding.
And I need to protect this TCP stream seamlessly with IPSEC transport mode.

Eugene Grosbein