From owner-freebsd-hackers@freebsd.org Fri Apr 8 09:55:09 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C178B08F05 for ; Fri, 8 Apr 2016 09:55:09 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26E3A1DF8 for ; Fri, 8 Apr 2016 09:55:09 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x22e.google.com with SMTP id n3so15837415wmn.0 for ; Fri, 08 Apr 2016 02:55:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=dxlxpxqkWhvREdglqSCN3oSENEZs4p1IVWsP/HMkj/Y=; b=CyFHpZGm0+3lVatGQEANuctV93Mup6QX6MXUa9t1Y7QUG11LbCUTTaeGkqkADu947T QqkyiwrYZxeXVLD8EE2w5O0YFv3320uP25nXls/lejJkYwGWBsy/OACnE9UnW2W/aYX9 Rq6mJG8NXWZMT3DHiKcSaTO8jAkdDgGjRtNcASN3S0O+vu7LC/k+7Y9ACoEVZ7P2Us6h Tz0/PZ2EcyFL1CjqFAvSliKYVP4Z72cLyAwWA6/tzFat7XQ/KWHmKoU1GMrzistMdQ8b +uyZvIL/p2tl3yke1u/Y2kuzUaBJ7N7q8m4/XqXWwV43LPD1GvwdhsXyO59IDUy5SbAW gy/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=dxlxpxqkWhvREdglqSCN3oSENEZs4p1IVWsP/HMkj/Y=; b=gbxrmMsFh6jcchEloaSyPFVqGaALDSkhuvQY/eqZajwYkI7mVgsj1FAvxKla6HxZA/ reUCZjgklfYSK2kp1mSl0Bt5x9sBHBNKBq2EdUHOIF3ttyEBH6IOaSXAj9ycLG/W1V2I j4l+uFEd2gmLmmrs7B4l1Y5W3C9bPTIt3gWwrhi1oVMMx23c9/jUTILEA4CZgM8CgRSb WX74YO60SQdtf/h2rHf5RRj+pJWmiGEhg/lzjEPlNRM99uoLZsQA5+KHi8XwgC7owDFf x2lFusSQezo7vSHqW4hG6GJgFOiuQtZDr6POGYc3JHm24TIQa9Bzn5ZxGKjVZU2+ena9 T7gQ== X-Gm-Message-State: AD7BkJILXji7sxdbQfkbkz+AsGyN+fLyyJQL08gR22EtbKqVkVmA8Zf2YVqPM5+VESiYVA935qhe4MUTNpbxYQ== MIME-Version: 1.0 X-Received: by 10.195.13.115 with SMTP id ex19mr8538778wjd.56.1460109306886; Fri, 08 Apr 2016 02:55:06 -0700 (PDT) Received: by 10.28.46.67 with HTTP; Fri, 8 Apr 2016 02:55:06 -0700 (PDT) In-Reply-To: References: Date: Fri, 8 Apr 2016 10:55:06 +0100 Message-ID: Subject: Re: IPSEC tunnels From: krad To: Wojciech Puchar Cc: freebsd-hackers@freebsd.org X-Mailman-Approved-At: Fri, 08 Apr 2016 11:11:55 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2016 09:55:09 -0000 I did do it once a long time ago, and it did work, but remember you are dealing with layer 3 so you cant use normal port forwarding for the tunnel traffic. The key exchange is less problematic. It was a bit of a head ache, and if you can avoid the NAT you will be far better off. On 8 April 2016 at 06:50, Wojciech Puchar wrote: > does anyone use this in production? How about performance. OpenVPN > performance is poor due to system call/context switch on every packet. > > I found lots of examples how to configure it, but none where one side is > over NAT. Can it be configured that way? Any examples? > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >