From owner-freebsd-net@FreeBSD.ORG  Fri Mar  7 12:15:59 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8537E79C
 for <freebsd-net@freebsd.org>; Fri,  7 Mar 2014 12:15:59 +0000 (UTC)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com
 [IPv6:2a00:1450:400c:c03::22c])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 10235890
 for <freebsd-net@freebsd.org>; Fri,  7 Mar 2014 12:15:58 +0000 (UTC)
Received: by mail-we0-f172.google.com with SMTP id t61so4885430wes.17
 for <freebsd-net@freebsd.org>; Fri, 07 Mar 2014 04:15:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:from:to:cc:subject:in-reply-to:references:user-agent:date
 :message-id:mime-version:content-type:content-transfer-encoding;
 bh=Of0kP5mmL6ISLcam41qsX5Rr0czDY787vqDhfYWlz1k=;
 b=LMlYTeugHUw+2h3mWdd57YbmXMNbHaB5WPhMGbd4S6csGOztWWV0yd9zgZFEi3WYaI
 43lYiVaFvWj2By5JIJNnjmi3gkkyC5yeOrAfUu9tRY4wypQVLWJrQdMDOgf7odioZ4yP
 fPvsxyqKEnKjhXVqP7UGI8IDWLN8N3/cFUz5w3dXXd7gc2+EqvY6L83kPAVpsdBTNEO9
 +tJ3Eq5CZCGbhdlf4eamf39sMns6IGHzNHtvSA6a5jWyw00EvpJsJxeh8HS5RFQhQnFb
 QX1PycO1QRErQBIJox5iVYyczSH9d4p+dQjXFYkeYpVymqn8PdNmwVXph8EUzl9LwXm+
 kAdg==
X-Received: by 10.194.190.10 with SMTP id gm10mr18561257wjc.55.1394194557421; 
 Fri, 07 Mar 2014 04:15:57 -0800 (PST)
Received: from srvbsdfenssv.interne.associated-bears.org
 (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48])
 by mx.google.com with ESMTPSA id f7sm8699308wjb.7.2014.03.07.04.15.55
 for <multiple recipients>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Fri, 07 Mar 2014 04:15:56 -0800 (PST)
Sender: Eric Masson <emss.mail@gmail.com>
Received: from srvbsdfenssv.interne.associated-bears.org (localhost
 [127.0.0.1])
 by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id
 BCE29CF227; Fri,  7 Mar 2014 13:15:54 +0100 (CET)
X-Virus-Scanned: amavisd-new at interne.associated-bears.org
Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1])
 by srvbsdfenssv.interne.associated-bears.org
 (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id I90xflpgUBoX; Fri,  7 Mar 2014 13:15:53 +0100 (CET)
Received: by srvbsdfenssv.interne.associated-bears.org (Postfix,
 from userid 1001)
 id E4ADFCF0EF; Fri,  7 Mar 2014 13:15:52 +0100 (CET)
From: Eric Masson <emss@free.fr>
To: "John W. O'Brien" <john@saltant.com>
Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated
In-Reply-To: <53193371.4090603@saltant.com> (John W. O'Brien's message of
 "Thu, 06 Mar 2014 21:48:17 -0500")
References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org>
 <53193371.4090603@saltant.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
X-Operating-System: FreeBSD 9.2-RELEASE-p3 amd64
Date: Fri, 07 Mar 2014 13:15:52 +0100
Message-ID: <8661nqmcg7.fsf@srvbsdfenssv.interne.associated-bears.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Cc: Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 12:15:59 -0000

"John W. O'Brien" <john@saltant.com> writes:

Hi John,

> You also need to perform NAT processing on the traffic that returns to
> gateway1 from gateway2.
>
>     $cmd add 200 nat 100 all from 192.168.21.0/24 to 172.16.0.1

I've been privately told about the return rule (I'm used to pf not
ipfw), but no luck.

Seems that http://www.freebsd.org/cgi/query-pr.cgi?pr=185876, as stated
by Philipp could be an good candidate to explain failures even with
return rule set up.

> I'm curious to learn whether this is sufficient. I haven't tested any
> combination of NAT and IPsec.

bz@ seem to have used this kind of setup for a looong time ;)

Regards

Éric

-- 
  This is a multi-part message in MIME format.
  ... Content-Transfer-Encoding: quoted-printable ...
  J EN AI MARRE DES C...  QUI NE RESPECTENT PAS LES CHARTES
  -+- R in: Guide du neuneu Usenet - bien respecter sa netiquette -+-