From owner-freebsd-hackers@FreeBSD.ORG Wed Sep 17 17:36:28 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9828C16A4B3 for ; Wed, 17 Sep 2003 17:36:28 -0700 (PDT) Received: from backmaster.cdsnet.net (backmaster.cdsnet.net [63.163.68.2]) by mx1.FreeBSD.org (Postfix) with SMTP id B2DD243FE9 for ; Wed, 17 Sep 2003 17:36:27 -0700 (PDT) (envelope-from mrcpu@backmaster.cdsnet.net) Received: (qmail 7051 invoked by uid 29999); 18 Sep 2003 00:36:26 -0000 Date: Wed, 17 Sep 2003 17:36:26 -0700 From: Jaye Mathisen To: hackers@freebsd.org Message-ID: <20030918003626.GR1096@backmaster.cdsnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: IPSEC/NAT/gif interaction question. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 00:36:28 -0000 We seem to have an issue where traffic going over an IPSEC tunnel is getting tunneled, before it hits our NAT process... For example. Node A, running NAT on its "external" interface" sis0 which has an IP of 10.177.1.1 has an interface sis1 which is its "internal" interface with an IP of 192.168.0.1. has a default route of 10.177.1.254. has an ipsec tunnel on gif0, going from 10.177.1.1 to a public-routable IP, call it a.b.c.2 with publicly-routable IP's on both ends of the tunnel. Node B, has an interface sis0 of 10.177.1.254, has an interface sis1 of a.b.c.3. knows how to route the traffic back and forth between tunnel endpoints. Node C, is the VPN termination, it has an address of a.b.c.4 and has the corresponding gif interface from nodeA. The tunnels all come up and move traffic successfully, and ftp/telnet from Node A to the world works just fine. The problem is that then we fire up Natd aliased to the public IP address bound to the gif0 interface, traffic from the inside network seems to hit ipsec, and get tunneled before it his the natd process, althogh we do have the necessary divert rule, and have natd running on the external interface. (sis0). I have tried aliasing the node A endpoint to a physical interface, and a loopback, and nothing seems to work. If I look at the traffic coming in on node C, I see the esp traffic tunneled, but the source addresses are the 192.168.0 IP's fromthe internal network, not the nat'd IP's. What am I missing here?