Date: Wed, 24 Jan 2001 22:05:37 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Bruno Miguel <brunomiguel@netcabo.pt> Cc: freebsd-ipfw@FreeBSD.ORG, The Babbler <bts@babbleon.org> Subject: Re: IPSEC tunnelling Message-ID: <20010124220537.G10761@rfx-216-196-73-168.users.reflex> In-Reply-To: <3A6EFA76.17540.17FDF1@localhost>; from brunomiguel@netcabo.pt on Wed, Jan 24, 2001 at 03:53:26PM -0000 References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com>; <20010121173807.B10761@rfx-216-196-73-168.users.reflex> <3A6EFA76.17540.17FDF1@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 24, 2001 at 03:53:26PM -0000, Bruno Miguel wrote: > > > I'm using IPSec tunnel mode, with ESP, but no authentication. I'm also not > > > using AH. > > > > Tunnel mode is troublesome to mix with NAT. AH is impossible to run > > through NAT. > > I tried using a skipto rule when packets from local network tried to reach the > other local network... skipping the divert rule. That should pretty much break everything before you even have to worry whether the IPsec is working. > To no avail.. > I was trying to use tunnel mode, only esp. > I wonder if someone has done it..... i normally use ipfilter, but the ipfw divert > rule being able to be bypassed by a skipto rule made me try ipfw. It didn't > work..... when I setup a 10.x.x.x. network it worked..... but it was nattin' > 192.168.x.x network. I wonder what went wrong. ESP is rarely going to be the problem. If you make it all of the way through the ISAKMP keying negotiations, you are in business. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010124220537.G10761>