From owner-freebsd-net Fri Oct 18 3:48: 1 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC1B37B401 for ; Fri, 18 Oct 2002 03:47:59 -0700 (PDT) Received: from femme.sapphite.org (pcp02268182pcs.longhl01.md.comcast.net [68.50.99.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3215A43E9E for ; Fri, 18 Oct 2002 03:47:50 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost [127.0.0.1]) by femme.sapphite.org (8.12.6/8.12.5) with ESMTP id g9IAm1hG002453; Fri, 18 Oct 2002 06:48:06 -0400 (EDT) (envelope-from trish@bsdunix.net) Date: Fri, 18 Oct 2002 06:48:01 -0400 (EDT) From: Trish Lynch X-X-Sender: To: Jonathan Feally Cc: Charles Henrich , Subject: Re: IPsec/NAT FreeBSD In-Reply-To: <3DAF73DE.1080307@consult-scs.com> Message-ID: <20021018064542.X491-100000@femme.sapphite.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 17 Oct 2002, Jonathan Feally wrote: > > I think a solution to the problem would be to have ipsec processing take > place both before and after ipfw(or ipf). > Somebody else though will have to figure out how to make a custom kernel > to do double ipsec processing because I'm not a C programmer. > > Hope somebody can make it happen, for both of us. > - Jonathan > > Charles Henrich wrote: > > >I've run across your postings in the FreeBSD mailing lists, and it looks like > >your trying to do what I am trying to do. I was wondering if you had solved > >it? That is, I have a nat'd network, and I want packets from any host on the > >inside of the network to be ESP encapsilated after nat translation to one > >particular host outside the network. It looks like it works, kinda. Packets > >hit the gateway, are nat'd, are ESP encapsilated, and sent on their merry way. > >Racoon even does a proper key exchange. On the return path however, the > >packed is unencapsilated, but nat seems to refuse to reverse the natting? > >Were you able to solve this problem? > > > >Thanks for any advice! > > I don't let IPSEC packets be processed by natd through the divert socket, in fact I use ipfw skipto rules: 00100 skipto 65535 ip from 66.80.117.2 to 64.14.48.150 00200 skipto 65535 ip from 64.14.48.150 to 66.80.117.2 00300 skipto 65535 ip from 10.80.116.0/23 to 10.0.0.0/24 00400 skipto 65535 ip from 10.0.0.0/24 to 10.80.116.0/23 00500 divert 8668 ip from any to any via fxp0 65535 allow ip from any to any It works well. -Trish -- Trish Lynch trish@bsdunix.net Ecartis Core Team trish@listmistress.org EFNet IRC Oper @ efnet.dkom.at AilleCat@EFNet UNIXNet IRC Admin @ femme.ipv6.sapphite.org AilleCat@UNIXNet Key fingerprint = C44E 8E63 6E3C 18BD 608F E004 9DC7 C2E9 0E24 DFBD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message