Date: Wed, 25 Dec 2013 22:35:47 +0100 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: nat before ipsec ... Message-ID: <CAPBZQG3vvXJCozE5uhqPUFyZF3QcG8-esEB0V92pUgSPtcqG%2BQ@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1312252101370.4409@ai.fobar.qr> References: <20131225200950.21787@relay.ibs.dn.ua> <1388002486.266885449.d63pm7a2@frv34.ukr.net> <20131225223332.32019@relay.ibs.dn.ua> <alpine.BSF.2.00.1312252101370.4409@ai.fobar.qr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, just use the ipsec-tools port from here https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/ipsec-tools-0.8.1 . You need to specify the sainfo with original subnet in braces the natted subnet and the remote subnet. Than enter spd policies related to local network and remote for out and natted subnet and remote subnet for in. Also create whatever nat/rdr/binat rules with pf on the enc interface. Its almost the same solution as here http://undeadly.org/cgi?action=article&sid=20090127205841 but in this case racoon was modified to accept the syntax for the natted subnet and the different polcies for in and out are not a problem in FreeBSD. The easy other way is setup a pfSense VM create your config from the GUI and get the relevant configs in /var/etc/ipsec. On Wed, Dec 25, 2013 at 10:12 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > On Wed, 25 Dec 2013, Zeus Panchenko wrote: > > wishmaster <artemrts@ukr.net> wrote: >> >> If I understand you correctly, you want binat inside IPSec and >>> >> > that would not really work as policies wouldn't match easily. > > > > I'm not sure ... what I want is to nat packets from net A before they >> are entering IPSec, as if they originate not on the freebsd host >> >> so, they enters IPSec already as net B packets ... >> > > If nothing has changed and no one implemented inside NAT for pf (or > ported it) it cannot do it; I used to do it with ipfw ages ago, but > back then it still required a third policy if I remember correctly. > There should be some posting from me on net@ or ipfw@ from sometime in > the last decade. > > /bz > > -- > Bjoern A. Zeeb ????????? ??? ??????? ??????: > '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ???? > ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.??? > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG3vvXJCozE5uhqPUFyZF3QcG8-esEB0V92pUgSPtcqG%2BQ>