From owner-freebsd-pf@FreeBSD.ORG Wed Dec 25 21:35:48 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E4EEF4D for ; Wed, 25 Dec 2013 21:35:48 +0000 (UTC) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 705C11554 for ; Wed, 25 Dec 2013 21:35:48 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id q10so7388439pdj.36 for ; Wed, 25 Dec 2013 13:35:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=iQ6HNI9Te5/1fc9yiqXVEr9iH3ysNLtCLa06iGnap38=; b=ox+w0zTUKh35T+9o/MGf7+k5n8BNaVqfucpk6KTMMR3n5PedRs1pLMZKPRWlZ0WVim 1q/2OrJ/XSQQa96yCwRQwlYp0rkio8QubI/MboufyGwteljUW98BSIVU9DTouAELa/97 +wdn75YFEbYKVs+zJMDtwggwzN+Oq9tLKQE0e62erCYepj5hYXQTF3XWakyckaicnru+ dJIC4mG/8MRn9sq9bQ2YFFhuFFs8FjLPlFvB6SxVMTU4aehqAZIRXQPBPMRGcDMZg9pK 4BKMFRjvsBfRU1D/B2E8O84tHhpZIEhf+576qLCnglNn5c/cFs41F0ehJxsajnqsZoF8 WgjA== MIME-Version: 1.0 X-Received: by 10.68.57.98 with SMTP id h2mr40818407pbq.17.1388007347651; Wed, 25 Dec 2013 13:35:47 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.46.105 with HTTP; Wed, 25 Dec 2013 13:35:47 -0800 (PST) In-Reply-To: References: <20131225200950.21787@relay.ibs.dn.ua> <1388002486.266885449.d63pm7a2@frv34.ukr.net> <20131225223332.32019@relay.ibs.dn.ua> Date: Wed, 25 Dec 2013 22:35:47 +0100 X-Google-Sender-Auth: rk1Wcd6UJCWSn1Bix1JUxluA0gg Message-ID: Subject: Re: nat before ipsec ... From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 21:35:48 -0000 Hello, just use the ipsec-tools port from here https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/ipsec-tools-0.8.1 . You need to specify the sainfo with original subnet in braces the natted subnet and the remote subnet. Than enter spd policies related to local network and remote for out and natted subnet and remote subnet for in. Also create whatever nat/rdr/binat rules with pf on the enc interface. Its almost the same solution as here http://undeadly.org/cgi?action=article&sid=20090127205841 but in this case racoon was modified to accept the syntax for the natted subnet and the different polcies for in and out are not a problem in FreeBSD. The easy other way is setup a pfSense VM create your config from the GUI and get the relevant configs in /var/etc/ipsec. On Wed, Dec 25, 2013 at 10:12 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > On Wed, 25 Dec 2013, Zeus Panchenko wrote: > > wishmaster wrote: >> >> If I understand you correctly, you want binat inside IPSec and >>> >> > that would not really work as policies wouldn't match easily. > > > > I'm not sure ... what I want is to nat packets from net A before they >> are entering IPSec, as if they originate not on the freebsd host >> >> so, they enters IPSec already as net B packets ... >> > > If nothing has changed and no one implemented inside NAT for pf (or > ported it) it cannot do it; I used to do it with ipfw ages ago, but > back then it still required a third policy if I remember correctly. > There should be some posting from me on net@ or ipfw@ from sometime in > the last decade. > > /bz > > -- > Bjoern A. Zeeb ????????? ??? ??????? ??????: > '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ???? > ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.??? > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal