From owner-freebsd-net  Fri Oct 18  0:39:52 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4870437B401
	for <freebsd-net@freebsd.org>; Fri, 18 Oct 2002 00:39:51 -0700 (PDT)
Received: from mail.allcaps.org (h-66-166-142-198.SNDACAGL.covad.net [66.166.142.198])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C6A243E7B
	for <freebsd-net@freebsd.org>; Fri, 18 Oct 2002 00:39:50 -0700 (PDT)
	(envelope-from bsder@mail.allcaps.org)
Received: by mail.allcaps.org (Postfix, from userid 501)
	id 4D1051550C; Fri, 18 Oct 2002 00:39:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.allcaps.org (Postfix) with ESMTP
	id 423FB1550B; Fri, 18 Oct 2002 00:39:49 -0700 (PDT)
Date: Fri, 18 Oct 2002 00:39:49 -0700 (PDT)
From: "Andrew P. Lentvorski" <bsder@mail.allcaps.org>
To: Charles Henrich <henrich@sigbus.com>
Cc: freebsd-net@freebsd.org
Subject: Re: IPSEC/NAT issues
In-Reply-To: <20021017162243.B89519@sigbus.com>
Message-ID: <20021018002729.T66900-100000@mail.allcaps.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

You cannot NAT an IPSEC packet.  NAT rewrites the IP headers and the
packet will get rejected when it reaches the other IPSEC node.

You can create forwarding rules which NAT packets destined for other hosts
and leave the IPSEC packets alone.  You'll have to create an ipfw ruleset.

You also probably need to understand the difference between tunnel mode
and transport mode in IPSEC.  Transport mode is host-to-host.  Tunnel mode
is network-to-network.  (I may have those two backwards)  You are trying
to do a hybrid; I don't think that is allowed in IPSEC.

One of the hardest things for me to get used to in IPSEC was the fact that
two machines could actually not talk to one another normally, but could
create an IPSEC tunnel.  Also, two machines that could actually talk to
one another was not sufficient to guarantee that they could set up a
tunnel.

Good luck,
-a


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message