From owner-freebsd-net@FreeBSD.ORG Sat Oct 24 08:35:54 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DD571065679; Sat, 24 Oct 2009 08:35:54 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-fx0-f210.google.com (mail-fx0-f210.google.com [209.85.220.210]) by mx1.freebsd.org (Postfix) with ESMTP id B6CD98FC12; Sat, 24 Oct 2009 08:35:53 +0000 (UTC) Received: by fxm6 with SMTP id 6so10298296fxm.43 for ; Sat, 24 Oct 2009 01:35:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received :x-virus-scanned:received:received:to:cc:subject:from:in-reply-to :references:x-operating-system:date:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=+57hAAIe/QjOJbeQ5iEnhhx1lKFT3Ct++WZcOs5DW40=; b=GM3NykO+DK04QciJI75Azgk8XFoOoSGB8P0f95Q+Bs2I4S0KPY2rmA3HRYoYaUWsAc Icy4sJcuEGPUJL2w72o27+b2gHME5f5gRdVgdorujv03A+5NOnr2zv8gxbIjGB7BYwio sMgrWmz6heOm/teNYx9t4IQYWE5g9Wg0uCIu8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:x-virus-scanned:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; b=pxYlvdVjo/TzID7c6JrVjSiwXl/MMuSixa35VcyFGwcvk+tA/wStIe9l7iTnTBTHZP ZAuO4gaK2yYTVlJTny5Q4oDWUEoSzgbN5ILYq2yfl5e3Iz1MNdIyVDc6okGJc8kxB/Bm vFIbwl+tzm5+VYMXzEkAAKO5yh+NciJEI5bxA= Received: by 10.102.248.14 with SMTP id v14mr928461muh.74.1256373352337; Sat, 24 Oct 2009 01:35:52 -0700 (PDT) Received: from srvbsdnanssv.interne.kisoft-services.com (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr [217.128.200.48]) by mx.google.com with ESMTPS id j10sm5759245muh.0.2009.10.24.01.35.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 24 Oct 2009 01:35:51 -0700 (PDT) Sender: Eric Masson Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id AB93917006; Sat, 24 Oct 2009 10:35:49 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aczhei6HxS4c; Sat, 24 Oct 2009 10:35:46 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 652FC170DD; Sat, 24 Oct 2009 10:35:46 +0200 (CEST) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <20091020174351.T5956@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Tue, 20 Oct 2009 18:00:01 +0000 (UTC)") References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net> <864opuk0e6.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091020174351.T5956@maildrop.int.zabbadoz.net> X-Operating-System: FreeBSD 6.4-RELEASE-p7 i386 Date: Sat, 24 Oct 2009 10:35:46 +0200 Message-ID: <86tyxp6vfh.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, vanhu Subject: Re: IPSec, nat on enc device X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Oct 2009 08:35:54 -0000 "Bjoern A. Zeeb" writes: Hi Bjoern, > What I said before and will repeat is that if you want to use NAT and > VPN you want to do inside NAT (addmittingly handling the local machine > is a different story). I have done that years ago with ipfw. Then your > SA works on the NAT IP. I used it to avoid formerly RFC1918 address > collisions by NATing to an unrouted public IP for just the VPNs. > THe NAT IP will not be bound to any interface at all. Ok, I've never used ipfw so shot in the dark. If I had to nat 192.168.85.0/24 to 10.0.0.1 to access 192.168.201.0/24, I would have to setup the following : ipfw add divert natd all from 192.168.85.0/24 to 192.168.201.0/24 in natd -alias_address 10.0.0.1 setkey -c << EOD spdadd 10.0.0.1/32 192.168.201.0/24 any -P out ipsec esp/tunnel/mygw-theirgw/require ; spdadd 192.168.201.0/24 10.0.0.1/32 any -P in ipsec esp/tunnel/theirgw-mygw/require ; EOD Does it seem reasonable or do I miss something ? > There is a reason major vendors have been doing inside and outside NAT > for ages now. That pf cannot do that is bad and a design problem there. Ok, thanks for you explanations. Regards -- Salut, Je ne reçoit plus de messages de la mailing-list des nordistes. -+- SG in: GNU - Un ch'ti coup d'fufe pour la route ? -+-