From owner-freebsd-security Thu Jan 11 4:48:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 0D9D737B400 for ; Thu, 11 Jan 2001 04:47:52 -0800 (PST) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id VAA29598; Thu, 11 Jan 2001 21:47:46 +0900 (JST) To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG In-reply-to: joe's message of Thu, 11 Jan 2001 12:45:11 GMT. <20010111124510.D3594@tao.org.uk> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: Interaction problem with IKE (racoon) and ipfw divert natd? From: itojun@iijlab.net Date: Thu, 11 Jan 2001 21:47:46 +0900 Message-ID: <29596.979217266@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Strangely... if I move the 'allow udp from ME isakmp to HIM isakmp' to >before the 'divert 8668 ip from any to any via fxp1' rule the packet >does go out on the wire! >I wonder whether this is a bug with natd. >Both machines are round about RELENG_4 (far end HIM jan 4th, this end ME >jan 10th). >Any ideas how I can track this down? i have no idea. i think natd captures the outgoing packets and then drops them onto the floor or something like that. we (as kame guys) almost never use ipfw/ipnat, as ipsec is inherently not friendly with them. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message