Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Oct 2002 06:48:01 -0400 (EDT)
From:      Trish Lynch <trish@bsdunix.net>
To:        Jonathan Feally <vulture@consult-scs.com>
Cc:        Charles Henrich <henrich@sigbus.com>, <freebsd-net@FreeBSD.ORG>
Subject:   Re: IPsec/NAT FreeBSD
Message-ID:  <20021018064542.X491-100000@femme.sapphite.org>
In-Reply-To: <3DAF73DE.1080307@consult-scs.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 17 Oct 2002, Jonathan Feally wrote:

>
> I think a solution to the problem would be to have ipsec processing take
> place both before and after ipfw(or ipf).
> Somebody else though will have to figure out how to make a custom kernel
> to do double ipsec processing because I'm not a C programmer.
>
> Hope somebody can make it happen, for both of us.
> - Jonathan
>
> Charles Henrich wrote:
>
> >I've run across your postings in the FreeBSD mailing lists, and it looks like
> >your trying to do what I am trying to do.  I was wondering if you had solved
> >it?  That is, I have a nat'd network, and I want packets from any host on the
> >inside of the network to be ESP encapsilated after nat translation to one
> >particular host outside the network.  It looks like it works, kinda.  Packets
> >hit the gateway, are nat'd, are ESP encapsilated, and sent on their merry way.
> >Racoon even does a proper key exchange.  On the return path however, the
> >packed is unencapsilated, but nat seems to refuse to reverse the natting?
> >Were you able to solve this problem?
> >
> >Thanks for any advice!
> >

I don't let IPSEC packets be processed by natd through the divert socket,
in fact I use ipfw skipto rules:

00100 skipto 65535 ip from 66.80.117.2 to 64.14.48.150
00200 skipto 65535 ip from 64.14.48.150 to 66.80.117.2
00300 skipto 65535 ip from 10.80.116.0/23 to 10.0.0.0/24
00400 skipto 65535 ip from 10.0.0.0/24 to 10.80.116.0/23
00500 divert 8668 ip from any to any via fxp0
65535 allow ip from any to any

It works well.

-Trish


--
Trish Lynch					   trish@bsdunix.net
Ecartis Core Team 			      trish@listmistress.org
EFNet IRC Oper @ efnet.dkom.at			      AilleCat@EFNet
UNIXNet IRC Admin @ femme.ipv6.sapphite.org	    AilleCat@UNIXNet
Key fingerprint = C44E 8E63 6E3C 18BD 608F  E004 9DC7 C2E9 0E24 DFBD



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021018064542.X491-100000>