From owner-freebsd-questions Mon Oct 16 6:59:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.springwoodsys.com (ns1.springwoodsys.com [12.38.17.16]) by hub.freebsd.org (Postfix) with ESMTP id E66BA37B502 for ; Mon, 16 Oct 2000 06:59:48 -0700 (PDT) Received: from nm99.aepco.com (rtr3.aepco.com [12.38.17.3]) by ns1.springwoodsys.com (8.9.3/8.9.3) with ESMTP id KAA20966; Mon, 16 Oct 2000 10:16:13 -0400 (EDT) (envelope-from bill@springwoodsys.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <001f01c0376f$5d7dd8c0$65010180@lojasobino.com.br> Date: Mon, 16 Oct 2000 09:58:22 -0400 (EDT) From: "Bill O'Connell" To: Fabrizzio Batista Subject: Re: Problems with IPSEC Cc: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 16-Oct-00 Fabrizzio Batista wrote: > Bill wrote: > >> The SAD and SPD entries look OK. Are you running a firewall and/or >> NAT on these systems? If so, how are they configured? >> > > Yeah, I´m running ipfw and NAT. NAT breaks IPSEC ??? > > How can I do to use NAT in my internal interface ? Is this the best > solution ? > > Thanks in advance, > > Fabrizzio > > If your ipfw rules divert packets to natd before ipsec sees them, then that's the problem. You'd have to allow your VPN private addresses to pass before they're diverted to natd, which presents potential security issues. This is why it's probably not a good idea to have the same box be both a firewall and an IPSec security gateway. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message