From owner-freebsd-questions@FreeBSD.ORG  Sun Aug 18 12:17:49 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 797127F8
 for <freebsd-questions@freebsd.org>; Sun, 18 Aug 2013 12:17:49 +0000 (UTC)
 (envelope-from terje@elde.net)
Received: from keepquiet.net (keepquiet.net [78.46.162.42])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 35A0424CF
 for <freebsd-questions@freebsd.org>; Sun, 18 Aug 2013 12:17:48 +0000 (UTC)
Received: from [10.130.10.194] (cm-84.210.76.250.getinternet.no
 [84.210.76.250])
 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 (Authenticated sender: terje@elde.net)
 by keepquiet.net (Postfix) with ESMTPSA id D10C52E40B;
 Sun, 18 Aug 2013 14:17:46 +0200 (CEST)
Subject: Re: VPN where local private address collide
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Terje Elde <terje@elde.net>
In-Reply-To: <CA+tpaK1kG5BtKjO+FrSXwkgTJ_k5K7HxtL8vih7Mq+b7r6KYWg@mail.gmail.com>
Date: Sun, 18 Aug 2013 14:17:45 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <791847EC-8E72-4013-9157-7AD0ACB62A7D@elde.net>
References: <520E5EC0.5090105@fjl.co.uk>
 <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> <520F53A2.80707@fjl.co.uk>
 <B86F8EA5-67BE-4791-8CAE-6E70BB326500@elde.net> <520F8AA8.8030407@fjl.co.uk>
 <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net>
 <CA+tpaK1kG5BtKjO+FrSXwkgTJ_k5K7HxtL8vih7Mq+b7r6KYWg@mail.gmail.com>
To: Adam Vande More <amvandemore@gmail.com>
X-Mailer: Apple Mail (2.1085)
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>,
 Frank Leonhardt <freebsd-doc@fjl.co.uk>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2013 12:17:49 -0000

On 18. aug. 2013, at 02.43, Adam Vande More wrote:
> > What about SSL/TLS for example?  How would the router swap the =
header in an encrypted session?
>=20
> Same as it would any sessions since only the payload is encrypted.  =
What Frank calls basic nat, most people call static nat(at least people =
who have read enough Cisco docs) and it works just fine. Also you are =
confusing headers.

The point I was aiming for was that even if you were to swap the IPs in =
the IP-header on the gateway, some protocols still reference the IPs =
inside the TCP-payload, and while you can rewrite that on a NAT-box =
using an application level gateway, you can not do that if the session =
is using SSL or TLS.

I was referring to headers *inside* the SSL/TLS-layers.  I thought that =
was obvious, but I see I might not have been clear enough.

Yes, you can often still resolve it on the server, but just how messy =
does one want to get stacking workaround on top of workaround, just to =
avoid renumbering the network?

Terje