Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Oct 2002 11:09:00 +0200
From:      Thomas Spreng <spreng@insomniac.ch>
To:        Charles Henrich <henrich@sigbus.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPSEC/NAT issues
Message-ID:  <20021018090900.GA18311@rock.stable.ch>
In-Reply-To: <20021017111524.A81672@sigbus.com>
References:  <20021017111524.A81672@sigbus.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 17, 2002 at 11:15:24AM -0700, Charles Henrich wrote:
> I have a network/firewall where I want to nat an entire network.  However, I
> also want nat traffic to one remote host in particular out on the internet to
> be IPsec'd as well.
> 
> [A] (10.x) [B] (Nat) [C] (Real IP)
> 
> I've setup IPsec on both machines, and from either machine (B,C) I can ssh to
> the other, with ipsec packets all happening happy as a clam.  However if try a
> connection from behind the nat box to the remote host (A,C) the key exchange
> works fine (between B&C), but then no data flows back and forth.  Anyone have
> any suggestions on this?  Thanks!
> 
> -Crh
hi charles,

im not sure if i understand your problem right but just keep in mind that you
cannot make a NAT between an IPSec connection. This is because the address
translation rewrites the ip headers and the ipsec authentification header 
prevents the packet from being altered.

greets

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021018090900.GA18311>