From owner-freebsd-questions Fri Oct 18 2: 9:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C6A737B401 for ; Fri, 18 Oct 2002 02:09:09 -0700 (PDT) Received: from relay01.cablecom.net (relay01.cablecom.net [62.2.33.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F6F043ED4 for ; Fri, 18 Oct 2002 02:09:08 -0700 (PDT) (envelope-from mlist@hispeed.ch) Received: from smtp.swissonline.ch (mail-4.swissonline.ch [62.2.32.85]) by relay01.cablecom.net (8.12.5/8.12.5/SOL/AWF/MXRELAY/20020820) with ESMTP id g9I991Z2082209; Fri, 18 Oct 2002 11:09:06 +0200 (CEST) (envelope-from mlist@hispeed.ch) Received: from rock.stable.ch (dclient217-162-34-199.hispeed.ch [217.162.34.199]) by smtp.swissonline.ch (8.11.6/8.11.6/SMTPSOL/AWF/2002040101) with ESMTP id g9I991F21835; Fri, 18 Oct 2002 11:09:01 +0200 (MEST) Received: from mlist by rock.stable.ch with local (Exim 3.33 #1) id 182T7t-0004qg-00; Fri, 18 Oct 2002 11:09:01 +0200 Date: Fri, 18 Oct 2002 11:09:00 +0200 From: Thomas Spreng To: Charles Henrich Cc: freebsd-questions@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021018090900.GA18311@rock.stable.ch> References: <20021017111524.A81672@sigbus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021017111524.A81672@sigbus.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 17, 2002 at 11:15:24AM -0700, Charles Henrich wrote: > I have a network/firewall where I want to nat an entire network. However, I > also want nat traffic to one remote host in particular out on the internet to > be IPsec'd as well. > > [A] (10.x) [B] (Nat) [C] (Real IP) > > I've setup IPsec on both machines, and from either machine (B,C) I can ssh to > the other, with ipsec packets all happening happy as a clam. However if try a > connection from behind the nat box to the remote host (A,C) the key exchange > works fine (between B&C), but then no data flows back and forth. Anyone have > any suggestions on this? Thanks! > > -Crh hi charles, im not sure if i understand your problem right but just keep in mind that you cannot make a NAT between an IPSec connection. This is because the address translation rewrites the ip headers and the ipsec authentification header prevents the packet from being altered. greets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message