Date: Mon, 19 Oct 2009 22:22:10 +0200 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: vanhu <vanhu@freebsd.org> Cc: freebsd-net@freebsd.org, Eric Masson <emss.mail@gmail.com> Subject: Re: IPSec, nat on enc device Message-ID: <9a542da30910191322y1676241cq4448af73d96353e0@mail.gmail.com> In-Reply-To: <20091019200549.GA9766@zeninc.net> References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > OpenBSD's way of doing things seems interesting while reading very > quickly your link, I'll have to take some more time to really see > exactly what they are doing..... > > Basically they make aware the daemon and the firewall of the nat. Actually it is more 'user-friendly' to configure though clamsy since you have to do keep the same information in two places, firewall nat rules and the ipsec daemon. You just tell instrument the daemon to inject one 'normal'(out) SA's match traffic coming from your local network and one SA for incoming traffic from remote network with the natted network address. This all is because pf(4) cannot do 'incoming nat' by default. -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a542da30910191322y1676241cq4448af73d96353e0>