From owner-freebsd-net Fri Oct 18 1:36:33 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D8B737B404 for ; Fri, 18 Oct 2002 01:36:31 -0700 (PDT) Received: from consult-scs.com (vpn.consult-scs.com [209.172.126.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0005F43EA9 for ; Fri, 18 Oct 2002 01:36:30 -0700 (PDT) (envelope-from vulture@consult-scs.com) Received: from consult-scs.com (adsl-63-197-17-60.dsl.snfc21.pacbell.net [63.197.17.60]) (authenticated bits=0) by consult-scs.com (8.12.6/8.12.6) with ESMTP id g9I2axIB060983; Thu, 17 Oct 2002 19:37:03 -0700 (PDT) Message-ID: <3DAF73DE.1080307@consult-scs.com> Date: Thu, 17 Oct 2002 19:37:18 -0700 From: Jonathan Feally User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Charles Henrich Cc: freebsd-net@freebsd.org Subject: Re: IPsec/NAT FreeBSD References: <20021017161013.A89519@sigbus.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was just looking at the latest postings from the net list and was reading yours when I found this e-mail you sent directly to me. I've had some success with IPSEC/IPFW and NATD. The problem lies in the kernel, ipsec and ipfw ordering of where the packets flow. What you are trying to do - makes perfect sense. But the kerenl is screwing you up. I took and duplicated your problem using a 4.6.2-R Machine with a Lan behind it and a 4.4-R machine. So here lies the problem: The outgoing packets from the lan get nat-ed and then ipsec-ed. The incoming packets are ipsec-ed but don't pass to natd as a regular packet. because ipsec takes place after ipfw. I think a solution to the problem would be to have ipsec processing take place both before and after ipfw(or ipf). Somebody else though will have to figure out how to make a custom kernel to do double ipsec processing because I'm not a C programmer. Hope somebody can make it happen, for both of us. - Jonathan Charles Henrich wrote: >I've run across your postings in the FreeBSD mailing lists, and it looks like >your trying to do what I am trying to do. I was wondering if you had solved >it? That is, I have a nat'd network, and I want packets from any host on the >inside of the network to be ESP encapsilated after nat translation to one >particular host outside the network. It looks like it works, kinda. Packets >hit the gateway, are nat'd, are ESP encapsilated, and sent on their merry way. >Racoon even does a proper key exchange. On the return path however, the >packed is unencapsilated, but nat seems to refuse to reverse the natting? >Were you able to solve this problem? > >Thanks for any advice! > >-Crh > > Charles Henrich Eon Entertainment henrich@msu.edu > > http://www.sigbus.com/~henrich > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message