From owner-freebsd-net@FreeBSD.ORG Mon Oct 19 20:22:31 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BD1106566B for ; Mon, 19 Oct 2009 20:22:31 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f178.google.com (mail-yw0-f178.google.com [209.85.211.178]) by mx1.freebsd.org (Postfix) with ESMTP id 3CEAC8FC19 for ; Mon, 19 Oct 2009 20:22:30 +0000 (UTC) Received: by ywh8 with SMTP id 8so4262569ywh.3 for ; Mon, 19 Oct 2009 13:22:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=VRPO2r+KFFp/j1i5w2I6OMwaKNeu13R8iyDJP1z7BKA=; b=IgYtatdjvCop5kmCYt8LKFvgzdsPcqrBDhh94URfRkje0VEugutyFzpGfohGsGg9R9 FJdk/N4uh487tRaI+0M0ztsYpFinKWSsmKKAKK/GGdudPI1tcOCKOzuOvXIsI24XdnaX nmAV24zUUb1a/ix8wHPSyvw/LLTgr4ei8032Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=q1Br+kPW0sTVE7NboK7DRM7e+t6tCGjp13mv8XYsF6hRFZsK98+NtAZUi+z3RtgeIS y2HBHBCg0bawkFG+D7EJxeKD+giFXN1u+ZXii2qYsYv4ndOJlx7ajbUMnICTDaVgtaBA 2xRT8FzcPTcQ0CjYQxK9WunwAzp2wJ4XdB+so= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.150.44.27 with SMTP id r27mr8857078ybr.263.1255983750048; Mon, 19 Oct 2009 13:22:30 -0700 (PDT) In-Reply-To: <20091019200549.GA9766@zeninc.net> References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Mon, 19 Oct 2009 22:22:10 +0200 X-Google-Sender-Auth: 30cbd600561c624c Message-ID: <9a542da30910191322y1676241cq4448af73d96353e0@mail.gmail.com> To: vanhu Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org, Eric Masson Subject: Re: IPSec, nat on enc device X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 20:22:31 -0000 > > OpenBSD's way of doing things seems interesting while reading very > quickly your link, I'll have to take some more time to really see > exactly what they are doing..... > > Basically they make aware the daemon and the firewall of the nat. Actually it is more 'user-friendly' to configure though clamsy since you have to do keep the same information in two places, firewall nat rules and the ipsec daemon. You just tell instrument the daemon to inject one 'normal'(out) SA's match traffic coming from your local network and one SA for incoming traffic from remote network with the natted network address. This all is because pf(4) cannot do 'incoming nat' by default. -- Ermal