From owner-freebsd-net@FreeBSD.ORG  Mon Apr  7 14:29:54 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 57F7F37B401
	for <freebsd-net@freebsd.org>; Mon,  7 Apr 2003 14:29:54 -0700 (PDT)
Received: from yama.openaccess.org (ns1.openaccess.org [216.57.214.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D5D5D43FA3
	for <freebsd-net@freebsd.org>; Mon,  7 Apr 2003 14:29:53 -0700 (PDT)
	(envelope-from michael@staff.openaccess.org)
Received: from [192.168.5.253] (internal.openaccess.org [216.57.214.120])
	by yama.openaccess.org (8.12.3/8.11.6) with ESMTP id h37L9Bn0079853
	for <freebsd-net@freebsd.org>; Mon, 7 Apr 2003 14:09:11 -0700 (PDT)
	(envelope-from michael@staff.openaccess.org)
User-Agent: Microsoft-Entourage/10.0.0.1309
Date: Mon, 07 Apr 2003 14:29:51 -0700
From: Michael DeMan <michael@staff.openaccess.org>
To: <freebsd-net@freebsd.org>
Message-ID: <BAB73BDF.31113%michael@staff.openaccess.org>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: IPSec + NAT
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2003 21:29:54 -0000

Hi All,

We need a solution for VPN + NAT for wireless clients.

We use ipfilter/ipnat for all our boxes but have been forced

I am concerned about the long term management/maintenance issues with some
boxes running NATD and others IPNAT, including having staff need to know how
to support and debug different configurations and such.

Does anybody know of a way to utilize IPSec and IPNAT together?  We assign
each box two IP addresses, one for the tunnel end point and the other for
the tunnel 

I noticed in the kernel code that I could swap where IPSec and IPFilter does
its processing and have IPFilter do its work after IPSec in bound, and
before IPSec outbound.  I'm not too thrilled with that either since we'd
have to fork from the BSD tree and upgrades would start getting tricky.

- Mike


Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
Fax 360-738-9785
michael@staff.openaccess.org