From owner-freebsd-net@FreeBSD.ORG Tue Oct 20 07:08:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CF88106566B for ; Tue, 20 Oct 2009 07:08:57 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-fx0-f157.google.com (mail-fx0-f157.google.com [209.85.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id 9C0CC8FC1A for ; Tue, 20 Oct 2009 07:08:56 +0000 (UTC) Received: by fxm1 with SMTP id 1so801504fxm.19 for ; Tue, 20 Oct 2009 00:08:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:x-virus-scanned :received:received:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=UqwgIyXWgLMyMiAyzhWyDu+XKlFfaPAWVCmk79t4zQM=; b=cRYBRx7Zex2yID/GLg377NUBvelifQuSB7Xn7tePX0x7pGK5vCtph5KONsSF1RXp1s YqabvW+l2i/uGPEi0bwVYniyf8EofY4VHMDv04LsdXhB6fmcd5cKEVvQ88OBUmG01rjx p0SGWyqEWb4YS8XJ4EIGOdUOcx+DNuaVH4pXc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=x-virus-scanned:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; b=ArRXDnuc5GlNB7JVElN2SVJby3F+4FxdUuJrjfGEA+EgmfGv1POvOXN2Qj7HG8o+gN naEJ4ljt5NVbI2Z11Wv/oNU8DtGVMY3kEekuroq3Wr3idvFWQ6RMD1/pvWlKT713XzUa 7WBal5ZimFqeBXFp8tUH+WC5j+aPhPOZfxMLM= Received: by 10.204.7.195 with SMTP id e3mr1885565bke.118.1256022535579; Tue, 20 Oct 2009 00:08:55 -0700 (PDT) Received: from srvbsdnanssv.interne.kisoft-services.com (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr [217.128.200.48]) by mx.google.com with ESMTPS id k29sm805244fkk.25.2009.10.20.00.08.53 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 20 Oct 2009 00:08:54 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 9062117008; Tue, 20 Oct 2009 09:08:52 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5uQLdsywbvZ; Tue, 20 Oct 2009 09:08:49 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 8947D1710F; Tue, 20 Oct 2009 09:08:49 +0200 (CEST) To: vanhu From: Eric Masson In-Reply-To: <20091019200549.GA9766@zeninc.net> (vanhu@freebsd.org's message of "Mon, 19 Oct 2009 22:05:49 +0200") References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net> X-Operating-System: FreeBSD 6.4-RELEASE-p7 i386 Date: Tue, 20 Oct 2009 09:08:49 +0200 Message-ID: <864opuk0e6.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, Eric Masson Subject: Re: IPSec, nat on enc device X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2009 07:08:57 -0000 vanhu writes: 'Lut Yvan, > Another way to have this feature is to implement what we call "NAT > before VPN": you can configure your kernel (or do it for specific NAT > rules if you want to do a more flexible implementation) to do NAT > process before doing IPsec stuff. I've used it last week on a 8.0.2 F200. The major drawback is that an existing nat ruleset must be adapted (nomap rules for vpn networks that dont need nat) and that it can cause issues when activated (a reverse proxy located on a machine behind a bidirectionnal map woes when nat before vpn is activated, that's why I have to setup another box for natted vpns...) > OpenBSD's way of doing things seems interesting while reading very > quickly your link, I'll have to take some more time to really see > exactly what they are doing..... I agree with Ermal that duplicating nat information in pf and isakmpd is suboptimal and probably error-prone, but it seems to me that it's less intrusive than altering the ip stack. -- Suffit d'être suffisamment nombreux et tu feras moins le malin. Voter con est une chose, s'en vanter en est une autre... Vous êtes grotesques et dangereux. -+- Rocou In GNU - Le quantitatif supléra-t-il le qualitatif ? -+-