From owner-freebsd-net Fri Jan 4 15:51: 9 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (artemis.drwilco.net [209.167.6.62]) by hub.freebsd.org (Postfix) with ESMTP id 12C9937B419 for ; Fri, 4 Jan 2002 15:51:07 -0800 (PST) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g04Np4R76009 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Fri, 4 Jan 2002 18:51:06 -0500 (EST) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020105005712.01cdcc50@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 05 Jan 2002 00:59:58 +0100 To: "Cambria, Mike" From: "Rogier R. Mulhuijzen" Subject: Re: TCP connection via IPsec machine also running natd Cc: freebsd-net@freebsd.org In-Reply-To: <3A6D367EA1EFD4118C9B00A0C9DD99D7065399@rerun.lucentctc.com > Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >As I said earlier, packets which route through ipfw/natd get unencrypted and >make it to the remote subnet just fine. > >Looking at 'ipfw -a l' it seems that the ESP packets are being received >_after_ being diverted to natd, but just >not sent to the socket: I'm no IPsec expert (still something I need to look into) but something that springs to mind is to allow the packet before the natd divert. I couldn't say why this would work (since natd shouldn't touch the packet, and you say other packets go through fine), but it's just a hunch =) DocWilco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message