From owner-freebsd-questions Fri Oct 18 8:31: 0 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6F2F37B401 for ; Fri, 18 Oct 2002 08:30:57 -0700 (PDT) Received: from hugo.int-evry.fr (hugo.int-evry.fr [157.159.100.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ACE543E7B for ; Fri, 18 Oct 2002 08:30:56 -0700 (PDT) (envelope-from julien@ipv6-5.int-evry.fr) Received: from ipv6-5.int-evry.fr (ipv6-5 [157.159.100.78]) by hugo.int-evry.fr (8.8.8/jtpda-5.3) with ESMTP id RAA27919 for ; Fri, 18 Oct 2002 17:30:48 +0200 (MET DST) Received: from julien by ipv6-5.int-evry.fr with local (Exim 4.10 #1 (FreeBSD)) id 182Z6F-0005qi-00 for ; Fri, 18 Oct 2002 17:31:43 +0200 Date: Fri, 18 Oct 2002 17:31:43 +0200 From: Julien Bournelle To: freebsd-questions@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021018153143.GD242@ipv6-5.int-evry.fr> Mail-Followup-To: freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Oct 18, 2002 at 04:54:33PM +0200, Danny.Carroll@mail.ing.nl wrote: > I have often wondered about this.. > Surely there must be a way to do it. Actually, I guess not, they're working on this problem at IETF. Maybe you could look at this inetrnet-drafts: draft-ietf-ipsec-nat-reqts-02.txt Hope it helps, julien.bournelle@int-evry.fr > > -D > > > -----Original Message----- > > From: Thomas Spreng [mailto:spreng@insomniac.ch] > > Sent: Friday, October 18, 2002 11:09 AM > > To: Charles Henrich > > Cc: freebsd-questions@freebsd.org > > Subject: Re: IPSEC/NAT issues > > > > > > On Thu, Oct 17, 2002 at 11:15:24AM -0700, Charles Henrich wrote: > > > I have a network/firewall where I want to nat an entire > > network. However, I > > > also want nat traffic to one remote host in particular out > > on the internet to > > > be IPsec'd as well. > > > > > > [A] (10.x) [B] (Nat) [C] (Real IP) > > > > > > I've setup IPsec on both machines, and from either machine > > (B,C) I can ssh to > > > the other, with ipsec packets all happening happy as a > > clam. However if try a > > > connection from behind the nat box to the remote host (A,C) > > the key exchange > > > works fine (between B&C), but then no data flows back and > > forth. Anyone have > > > any suggestions on this? Thanks! > > > > > > -Crh > > hi charles, > > > > im not sure if i understand your problem right but just keep > > in mind that you > > cannot make a NAT between an IPSec connection. This is > > because the address > > translation rewrites the ip headers and the ipsec > > authentification header > > prevents the packet from being altered. > > > > greets > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > ----------------------------------------------------------------- > ATTENTION: > The information in this electronic mail message is private and > confidential, and only intended for the addressee. Should you > receive this message by mistake, you are hereby notified that > any disclosure, reproduction, distribution or use of this > message is strictly prohibited. Please inform the sender by > reply transmission and delete the message without copying or > opening it. > > Messages and attachments are scanned for all viruses known. > If this message contains password-protected attachments, the > files have NOT been scanned for viruses by the ING mail domain. > Always scan attachments before opening them. > ----------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message