From owner-freebsd-net@FreeBSD.ORG Mon Apr 17 23:42:53 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED79F16A40A for ; Mon, 17 Apr 2006 23:42:53 +0000 (UTC) (envelope-from kbyanc@posi.net) Received: from ylpvm15.prodigy.net (ylpvm15-ext.prodigy.net [207.115.57.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D22143D45 for ; Mon, 17 Apr 2006 23:42:53 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from pimout5-ext.prodigy.net (pimout5-int.prodigy.net [207.115.4.21]) by ylpvm15.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id k3HNh2YA026352 for ; Mon, 17 Apr 2006 19:43:02 -0400 X-ORBL: [70.231.172.112] Received: from gateway.posi.net (adsl-70-231-172-112.dsl.snfc21.sbcglobal.net [70.231.172.112]) by pimout5-ext.prodigy.net (8.13.6 out.dk/8.13.6) with ESMTP id k3HNggQt069984; Mon, 17 Apr 2006 19:42:43 -0400 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id 5F44A75E05F; Mon, 17 Apr 2006 17:50:39 -0700 (PDT) Date: Mon, 17 Apr 2006 17:50:39 -0700 (PDT) From: Kelly Yancey To: "Bjoern A. Zeeb" In-Reply-To: <20060417192638.U13011@maildrop.int.zabbadoz.net> Message-ID: <20060417173122.V293@gateway.posi.net> References: <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc> <20060331223613.GD80492@spc.org> <20060402130227.G99958@atlantis.atlantis.dp.ua> <20060402113516.D76259@maildrop.int.zabbadoz.net> <20060402151039.R51461@atlantis.atlantis.dp.ua> <20060411153224.L55107@gateway.posi.net> <20060411213528.F13011@maildrop.int.zabbadoz.net> <20060413155210.R73176@gateway.posi.net> <20060417192638.U13011@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: tcpdump and ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2006 23:42:54 -0000 On Mon, 17 Apr 2006, Bjoern A. Zeeb wrote: > On Thu, 13 Apr 2006, Kelly Yancey wrote: > > > I'm curious: how are you performing NAT on your tunnelled traffic? > > the answer is simple: do not NAT on the ipsec interface though it's > not fully correct because I do even NAT traffic that goes like: > > A ---- lan1(ipsec only) --- gw(NAT) --- lan2(ipsec only) ---- B > > [ipsec only == esp and ike allowed] > > so the better explanation perhaps is: > do not nat on the ipsec interface of the outgoing direction. > "When all you have is a hammer, everything looks like a nail" :) In our case, we couldn't use that hack because we have multiple interfaces, each with its own NAT config. We have to run natd on the interface that the traffic is traversing. With the enc interface, we can handle packets inside the tunnel separate from the tunnel traffic itself without resorting to gymnastics. If I had time I'd integrate PR 94829 myself, but it looks like I'm going to have my hands full for a couple of months. :| We'll see if anyone else picks it up in the meantime... Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com