Date: Mon, 19 Oct 2009 22:05:49 +0200 From: vanhu <vanhu@FreeBSD.org> To: Eric Masson <emss.mail@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSec, nat on enc device Message-ID: <20091019200549.GA9766@zeninc.net> In-Reply-To: <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all.
On Mon, Oct 19, 2009 at 05:32:14PM +0200, Eric Masson wrote:
[....]
> I know ;) I'll bug them regarding ${suject} as well (some ipsec-tools
> devs lurk there too)
Do you think so ? :-D
> I'm not sure that pf & ipsec stack already support this feature. Maybe
> bz@ or vanhu@ will shed a light on this point.
This is a way to do that, but it needs some stuff on both kernel and
userland to be implemented that way.
Another way to have this feature is to implement what we call "NAT
before VPN": you can configure your kernel (or do it for specific NAT
rules if you want to do a more flexible implementation) to do NAT
process before doing IPsec stuff.
Then, you just write your NAT rules to move local/remote traffic
endpoints to distinct networks, and IPsec (both in kernel and
userland) will just have to deal with those NATed networks.
OpenBSD's way of doing things seems interesting while reading very
quickly your link, I'll have to take some more time to really see
exactly what they are doing.....
Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091019200549.GA9766>