From owner-freebsd-security  Thu Apr 20  9:10:38 2000
Delivered-To: freebsd-security@freebsd.org
Received: from netvalue-gw.netvalue.fr (netvalue-gw.netvalue.fr [195.115.44.161])
	by hub.freebsd.org (Postfix) with ESMTP id 4A56037B7D0
	for <freebsd-security@FreeBSD.ORG>; Thu, 20 Apr 2000 09:10:33 -0700 (PDT)
	(envelope-from erwan@netvalue.com)
Received: (from bin@localhost)
	by netvalue-gw.netvalue.fr (8.9.3/8.8.8) id SAA85679
	for <freebsd-security@FreeBSD.ORG>; Thu, 20 Apr 2000 18:10:28 +0200 (CEST)
	(envelope-from erwan@netvalue.com)
X-Authentication-Warning: netvalue-gw.netvalue.fr: bin set sender to <erwan@netvalue.com> using -f
Received: from <erwan@netvalue.com> (dauphine.netvalue.fr [192.168.1.13]) by netvalue-gw.netvalue.fr via smap (V2.1)
	id xma085650; Thu, 20 Apr 00 18:10:10 +0200
Received: from netvalue.com ([192.168.1.100]) by mail.netvalue.fr
          (Netscape Messaging Server 3.6)  with ESMTP id AAA434E;
          Thu, 20 Apr 2000 18:10:09 +0200
Message-ID: <38FF2BE1.FBBCBF1@netvalue.com>
Date: Thu, 20 Apr 2000 18:10:09 +0200
From: Erwan Arzur <erwan@netvalue.com>
Organization: NetValue S.A.
X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.12 i386)
X-Accept-Language: en, fr-FR
MIME-Version: 1.0
To: itojun@iijlab.net
Cc: Muhammad Najib <najib@kdu.edu.my>, freebsd-security@FreeBSD.ORG
Subject: Re: VPN using IPSec
References: <11595.956240178@coconut.itojun.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> >- at the same time allow Internet connectivity throughout the world
> >using NAT
> >
> >I've been understood by the doc that I need to use the 'tunnel mode'
> >instead to achieve this. I followed the documentation in the handbook
> >(http://www.freebsd.org/handbook/ipsec.html) but failed. Here's the
> >conf files:
> 
>         NAT - IPsec interaction will be very tricky, so I will not talk about
>         that.

I tried for hours to get the same kind of network setup than the
original poster, did not
understand why icmp packets were normally coming in the gateway through
the tunnel while the responses were always sent without any kind of
encapsulation, until i discovered that all these packets were natted,
thus never matched by the SPD ...

NAT is not your friend when you try to setup an IPSEC tunnel.
--
UNIX *IS* user friendly.  It's just selective about who its friends are.
                                                               --unknown


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message