Date: Thu, 17 Oct 2002 19:37:18 -0700 From: Jonathan Feally <vulture@consult-scs.com> To: Charles Henrich <henrich@sigbus.com> Cc: freebsd-net@freebsd.org Subject: Re: IPsec/NAT FreeBSD Message-ID: <3DAF73DE.1080307@consult-scs.com> References: <20021017161013.A89519@sigbus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was just looking at the latest postings from the net list and was reading yours when I found this e-mail you sent directly to me. I've had some success with IPSEC/IPFW and NATD. The problem lies in the kernel, ipsec and ipfw ordering of where the packets flow. What you are trying to do - makes perfect sense. But the kerenl is screwing you up. I took and duplicated your problem using a 4.6.2-R Machine with a Lan behind it and a 4.4-R machine. So here lies the problem: The outgoing packets from the lan get nat-ed and then ipsec-ed. The incoming packets are ipsec-ed but don't pass to natd as a regular packet. because ipsec takes place after ipfw. I think a solution to the problem would be to have ipsec processing take place both before and after ipfw(or ipf). Somebody else though will have to figure out how to make a custom kernel to do double ipsec processing because I'm not a C programmer. Hope somebody can make it happen, for both of us. - Jonathan Charles Henrich wrote: >I've run across your postings in the FreeBSD mailing lists, and it looks like >your trying to do what I am trying to do. I was wondering if you had solved >it? That is, I have a nat'd network, and I want packets from any host on the >inside of the network to be ESP encapsilated after nat translation to one >particular host outside the network. It looks like it works, kinda. Packets >hit the gateway, are nat'd, are ESP encapsilated, and sent on their merry way. >Racoon even does a proper key exchange. On the return path however, the >packed is unencapsilated, but nat seems to refuse to reverse the natting? >Were you able to solve this problem? > >Thanks for any advice! > >-Crh > > Charles Henrich Eon Entertainment henrich@msu.edu > > http://www.sigbus.com/~henrich > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DAF73DE.1080307>