Date: Sun, 1 Oct 2000 13:09:22 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: freebsd-security@freebsd.org Subject: KAME IPSEC with ipnat Message-ID: <200010010509.e9159MK03344@netrinsics.com>
next in thread | raw e-mail | index | archive | help
Just a pointer for anyone trying to get KAME IPSEC to work with ipnat:
In order for the IPSEC "tunnellization" policy to take effect on a packet, it
has to be routed to an interface. In many cases, you'll want your VPN gateway
to also serve as a NAT gateway. However, ipnat only supports source address
based policies; everything going out your outbound interface will be natified
before it can be tunnelized, and an natified packet won't match your
tunnelization policy. The simple solution is to route tunnel-bound VPN
packets to the loopback interface:
% route add 172.16.0.0 -netmask 0xffffff00 -interface lo0
These packets then get intercepted by the IPSEC layer, encapsulated, and sent
out according to the SPD configuration.
-Michael Robinson
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010010509.e9159MK03344>