Date: Fri, 18 Oct 2002 11:09:00 +0200 From: Thomas Spreng <spreng@insomniac.ch> To: Charles Henrich <henrich@sigbus.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021018090900.GA18311@rock.stable.ch> In-Reply-To: <20021017111524.A81672@sigbus.com> References: <20021017111524.A81672@sigbus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 17, 2002 at 11:15:24AM -0700, Charles Henrich wrote: > I have a network/firewall where I want to nat an entire network. However, I > also want nat traffic to one remote host in particular out on the internet to > be IPsec'd as well. > > [A] (10.x) [B] (Nat) [C] (Real IP) > > I've setup IPsec on both machines, and from either machine (B,C) I can ssh to > the other, with ipsec packets all happening happy as a clam. However if try a > connection from behind the nat box to the remote host (A,C) the key exchange > works fine (between B&C), but then no data flows back and forth. Anyone have > any suggestions on this? Thanks! > > -Crh hi charles, im not sure if i understand your problem right but just keep in mind that you cannot make a NAT between an IPSec connection. This is because the address translation rewrites the ip headers and the ipsec authentification header prevents the packet from being altered. greets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021018090900.GA18311>