From owner-freebsd-net@FreeBSD.ORG Wed Jun 7 00:20:29 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 435B516B257 for ; Tue, 6 Jun 2006 23:51:54 +0000 (UTC) (envelope-from toni@stderror.at) Received: from murus.stderror.at (stdin.stderror.at [83.65.196.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id B45E043D46 for ; Tue, 6 Jun 2006 23:51:53 +0000 (GMT) (envelope-from toni@stderror.at) Received: from bluebook.stderror.at (chello084114136241.14.15.vie.surfer.at [84.114.136.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by murus.stderror.at (Postfix) with ESMTP id 83C265C32; Wed, 7 Jun 2006 01:54:08 +0200 (CEST) Received: from bluebook.stderror.at (localhost.localdomain [127.0.0.1]) by bluebook.stderror.at (8.13.6/8.13.4) with ESMTP id k56NrHSX088876; Wed, 7 Jun 2006 01:53:17 +0200 (CEST) (envelope-from toni@stderror.at) Date: Wed, 07 Jun 2006 01:53:17 +0200 Message-ID: <863behaljm.wl%toni@stderror.at> From: Toni Schmidbauer To: Devin Heckman In-Reply-To: <20060606000954.GF18733@rescomp.berkeley.edu> References: <20060606000954.GF18733@rescomp.berkeley.edu> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?UTF-8?B?U2hpavI=?=) Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: ipfw, IPSec, and natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2006 00:20:30 -0000 At Mon, 5 Jun 2006 17:09:54 -0700, Devin Heckman wrote: > I recently tried to set up a computer to act as a NAT using FreeBSD 6.1. ipfw > functions as it should, as well as IPSec, but I've run into some problems when > setting up the NAT. I have two computers behind it, both of which do not need to > speak IPSec (and aren't configured to do so). The NAT computer should speak > IPSec with one other computer, from which it mounts home directories via NFS. please show us your spd entries (/etc/ipsec.conf), and depict your network layout more clearly (e.g. sample ip-addresses for nat machine, nfs server, client machines...). > When I enable natd, ipfw, and IPSec, the connection to the computer with which I > speak IPSec breaks, but the NAT functions properly. if your ipsec packets get rewritten by natd ah will not work because of changes in the ip header by natd. but i'm not sure if this is your particular problem. toni -- If you understand what you're doing, you're | toni at stderror dot at not learning anything. | Toni Schmidbauer -- Anonymous |