Date: Sat, 24 Oct 2009 10:35:46 +0200 From: Eric Masson <emss@free.fr> To: "Bjoern A. Zeeb" <bz@FreeBSD.org> Cc: freebsd-net@freebsd.org, vanhu <vanhu@FreeBSD.org> Subject: Re: IPSec, nat on enc device Message-ID: <86tyxp6vfh.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <20091020174351.T5956@maildrop.int.zabbadoz.net> (Bjoern A. Zeeb's message of "Tue, 20 Oct 2009 18:00:01 %2B0000 (UTC)") References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net> <864opuk0e6.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091020174351.T5956@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Bjoern A. Zeeb" <bz@FreeBSD.org> writes: Hi Bjoern, > What I said before and will repeat is that if you want to use NAT and > VPN you want to do inside NAT (addmittingly handling the local machine > is a different story). I have done that years ago with ipfw. Then your > SA works on the NAT IP. I used it to avoid formerly RFC1918 address > collisions by NATing to an unrouted public IP for just the VPNs. > THe NAT IP will not be bound to any interface at all. Ok, I've never used ipfw so shot in the dark. If I had to nat 192.168.85.0/24 to 10.0.0.1 to access 192.168.201.0/24, I would have to setup the following : ipfw add divert natd all from 192.168.85.0/24 to 192.168.201.0/24 in natd -alias_address 10.0.0.1 setkey -c << EOD spdadd 10.0.0.1/32 192.168.201.0/24 any -P out ipsec esp/tunnel/mygw-theirgw/require ; spdadd 192.168.201.0/24 10.0.0.1/32 any -P in ipsec esp/tunnel/theirgw-mygw/require ; EOD Does it seem reasonable or do I miss something ? > There is a reason major vendors have been doing inside and outside NAT > for ages now. That pf cannot do that is bad and a design problem there. Ok, thanks for you explanations. Regards -- Salut, Je ne reçoit plus de messages de la mailing-list des nordistes. -+- SG in: GNU - Un ch'ti coup d'fufe pour la route ? -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86tyxp6vfh.fsf>