From owner-freebsd-current@FreeBSD.ORG  Mon Mar 15 23:28:25 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CA58D16A4CE
	for <freebsd-current@freebsd.org>;
	Mon, 15 Mar 2004 23:28:25 -0800 (PST)
Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8AB6243D2F
	for <freebsd-current@freebsd.org>;
	Mon, 15 Mar 2004 23:28:25 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(c-67-169-127-171.client.comcast.net[67.169.127.171])
	by comcast.net (sccrmhc11) with ESMTP
	id <2004031607124801100ledqte>; Tue, 16 Mar 2004 07:12:48 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id i2G7Ch0m018936;
	Mon, 15 Mar 2004 23:12:47 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id i2G7Cgoe018935;
	Mon, 15 Mar 2004 23:12:42 -0800 (PST)
	(envelope-from cristjc@comcast.net)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Mon, 15 Mar 2004 23:12:42 -0800
From: "Crist J. Clark" <cristjc@comcast.net>
To: Neil Fenemor <Neil@TS.co.NZ>
Message-ID: <20040316071242.GA18433@blossom.cjclark.org>
References: <1079038531.29695.2.camel@acer>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1079038531.29695.2.camel@acer>
User-Agent: Mutt/1.4.1i
X-URL: http://people.freebsd.org/~cjc/
cc: freebsd-current@freebsd.org
Subject: Re: IPSec/NAT/Gateway Query
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2004 07:28:25 -0000

On Fri, Mar 12, 2004 at 09:55:31AM +1300, Neil Fenemor wrote:
[snip]
> What I'm having an issue, is if the "client" has a range of RFC 1918
> addresses behind it, and I have to introduce NAT into the equation.
> 
> I've best tracked it down to the order that the kernel looks at the
> packets to decide what to do with it.
> 
> This is where I stand at the moment.
> 
> x.y.z.11 -> x.y.z.254             : works perfectly
> x.y.z.11 -> x.y.z.254 -> 0.0.0.0  : works perfectly
> rfc 1918 -> x.y.z.11 -> x.y.z.254 : Fails
> rfc 1918 -> x.y.z.11 -> x.y.z.254 -> 0.0.0.0 : Fails

Why not do IPsec between x.y.z.11 and x.y.z.254 in tunnel mode and do
the NAT on the host with the x.y.z.254 interface?

If you want to do the NAT on x.y.z.11, you can "trick" it to doing NAT
before IPsec by doing some of the ol' gif(4)-IPsec gymnastics.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org