From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 11 16:39:30 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BC14216A403
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Sep 2006 16:39:30 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from strange.daemonsecurity.com
	(59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 48F5643D49
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Sep 2006 16:39:29 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [192.168.7.193] (68.Red-80-34-55.staticIP.rima-tde.net
	[80.34.55.68])
	by strange.daemonsecurity.com (Postfix) with ESMTP id E37232E024;
	Mon, 11 Sep 2006 18:39:27 +0200 (CEST)
Message-ID: <4505913A.5020403@locolomo.org>
Date: Mon, 11 Sep 2006 18:39:22 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: Administrators <mlh@ispinfo.fr>
References: <450536E9.2010106@ispinfo.fr>
In-Reply-To: <450536E9.2010106@ispinfo.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: NAT+IPSEC toubles
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2006 16:39:30 -0000

Administrators wrote:
> Hi,
> 
> I'm building VPN connected to CISCO device.
> 
> I NEED to translate my LAN adress to a given adress.
> 
> The VPN work well when I try doing
> ifconfig em0 alias _given_@_
> ping -S _given_@_ dest_@
> 
> but I didn't manage to translate LAN adresse AND having VPN used.
> 
> I can pass throug VPN using actual adress but the CISCO endpoint drop it
> or I translate, but packets didn't go in the VPN.
> 
> Any idea ?

IPSec does not work across NAT. The problem is authenticated headers 
which simply won't work because it assumes the ip header to be untouched.

If you have a natting box this will rewrite the source/destination ip 
which means that the recipient cannot verify the authencity of the packet.

You should be able to get things working without AH.

Cheers, Erik
-- 
Ph: +34.666334818                      web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9