Date: Tue, 20 Oct 2009 09:08:49 +0200 From: Eric Masson <emss.mail@gmail.com> To: vanhu <vanhu@FreeBSD.org> Cc: freebsd-net@freebsd.org, Eric Masson <emss.mail@gmail.com> Subject: Re: IPSec, nat on enc device Message-ID: <864opuk0e6.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <20091019200549.GA9766@zeninc.net> (vanhu@freebsd.org's message of "Mon, 19 Oct 2009 22:05:49 %2B0200") References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
vanhu <vanhu@FreeBSD.org> writes: 'Lut Yvan, > Another way to have this feature is to implement what we call "NAT > before VPN": you can configure your kernel (or do it for specific NAT > rules if you want to do a more flexible implementation) to do NAT > process before doing IPsec stuff. I've used it last week on a 8.0.2 F200. The major drawback is that an existing nat ruleset must be adapted (nomap rules for vpn networks that dont need nat) and that it can cause issues when activated (a reverse proxy located on a machine behind a bidirectionnal map woes when nat before vpn is activated, that's why I have to setup another box for natted vpns...) > OpenBSD's way of doing things seems interesting while reading very > quickly your link, I'll have to take some more time to really see > exactly what they are doing..... I agree with Ermal that duplicating nat information in pf and isakmpd is suboptimal and probably error-prone, but it seems to me that it's less intrusive than altering the ip stack. -- Suffit d'être suffisamment nombreux et tu feras moins le malin. Voter con est une chose, s'en vanter en est une autre... Vous êtes grotesques et dangereux. -+- Rocou In GNU - Le quantitatif supléra-t-il le qualitatif ? -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864opuk0e6.fsf>