Date: Sun, 1 Oct 2000 13:09:22 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: freebsd-security@freebsd.org Subject: KAME IPSEC with ipnat Message-ID: <200010010509.e9159MK03344@netrinsics.com>
next in thread | raw e-mail | index | archive | help
Just a pointer for anyone trying to get KAME IPSEC to work with ipnat: In order for the IPSEC "tunnellization" policy to take effect on a packet, it has to be routed to an interface. In many cases, you'll want your VPN gateway to also serve as a NAT gateway. However, ipnat only supports source address based policies; everything going out your outbound interface will be natified before it can be tunnelized, and an natified packet won't match your tunnelization policy. The simple solution is to route tunnel-bound VPN packets to the loopback interface: % route add 172.16.0.0 -netmask 0xffffff00 -interface lo0 These packets then get intercepted by the IPSEC layer, encapsulated, and sent out according to the SPD configuration. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010010509.e9159MK03344>