From owner-freebsd-net@FreeBSD.ORG Sun Nov 8 17:48:33 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83C7F106566B; Sun, 8 Nov 2009 17:48:33 +0000 (UTC) (envelope-from emss.mail@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id A2E748FC08; Sun, 8 Nov 2009 17:48:32 +0000 (UTC) Received: by ewy18 with SMTP id 18so2163921ewy.43 for ; Sun, 08 Nov 2009 09:48:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received :x-virus-scanned:received:received:to:cc:subject:from:in-reply-to :references:x-operating-system:date:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=20CSnTNoajbDkQ2QbDFejIHGh/5UxjNo03V+KMOftsk=; b=ey4a+TKio4+JtMquI885mk302po29wahOnYT6J3lJE8zqED9NPsqDxYBzuodxUhJVK qCLczFv3M4lnQ/3HKK/3M4nA7jXgd9Q5FpHbS9rr12bIDN8aCYiCu6sTXYs/CASCOBkr Yl6th6FNa07EQBpb6sw+S7HIztQQj3xM0De1s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:x-virus-scanned:to:cc:subject:from:in-reply-to:references :x-operating-system:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; b=F0kUSxB7Qw1YRNCG8pzopQ0XWRyyExMnixdib4ruhh9IBQIvr5pBErdXnNsr1/A19E YmZykdsTB4SY0g0kXx+ZlskYub867LV5WZQEZD0wDiNQYU2GjXClIeKsocIE6Vj1h9a1 Oa3eGqhkQrl6c3qBsFV2upimGC1M7WrDT9zdM= Received: by 10.213.24.28 with SMTP id t28mr7795638ebb.92.1257702510057; Sun, 08 Nov 2009 09:48:30 -0800 (PST) Received: from srvbsdnanssv.interne.kisoft-services.com (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr [217.128.200.48]) by mx.google.com with ESMTPS id 24sm4042987eyx.13.2009.11.08.09.48.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 08 Nov 2009 09:48:29 -0800 (PST) Sender: Eric Masson Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 3AF9717005; Sun, 8 Nov 2009 18:48:27 +0100 (CET) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQa9525agqjV; Sun, 8 Nov 2009 18:48:23 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id B4B511701A; Sun, 8 Nov 2009 18:48:23 +0100 (CET) To: "Bjoern A. Zeeb" From: Eric Masson In-Reply-To: <86tyxp6vfh.fsf@srvbsdnanssv.interne.kisoft-services.com> (Eric Masson's message of "Sat, 24 Oct 2009 10:35:46 +0200") References: <861vkzlula.fsf@srvbsdnanssv.interne.kisoft-services.com> <9a542da30910190707q7eb173d9xf9085d220a213db1@mail.gmail.com> <86eiozjt6p.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091019200549.GA9766@zeninc.net> <864opuk0e6.fsf@srvbsdnanssv.interne.kisoft-services.com> <20091020174351.T5956@maildrop.int.zabbadoz.net> <86tyxp6vfh.fsf@srvbsdnanssv.interne.kisoft-services.com> X-Operating-System: FreeBSD 6.4-RELEASE-p7 i386 Date: Sun, 08 Nov 2009 18:48:23 +0100 Message-ID: <863a4o52mw.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, vanhu Subject: Re: IPSec, nat on enc device X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Nov 2009 17:48:33 -0000 Eric Masson writes: Hi Bjoern, > Ok, I've never used ipfw so shot in the dark. > > If I had to nat 192.168.85.0/24 to 10.0.0.1 to access 192.168.201.0/24, > I would have to setup the following : > > ipfw add divert natd all from 192.168.85.0/24 to 192.168.201.0/24 in > natd -alias_address 10.0.0.1 > setkey -c << EOD > spdadd 10.0.0.1/32 192.168.201.0/24 any -P out ipsec > esp/tunnel/mygw-theirgw/require ; > spdadd 192.168.201.0/24 10.0.0.1/32 any -P in ipsec > esp/tunnel/theirgw-mygw/require ; > EOD > > Does it seem reasonable or do I miss something ? Seems I miss something, as tests don't work at all. Could you elaborate on incoming nat & ipsec please ? Regards -- J'ai reçu un mail parlant d'un petit garçon malade. Je l'ai transféré à tous ceux que je connaissais. On me dit que c'est un attrape couillons. Est-ce vrai? Suis-je vraiment aussi con que le prétend ma femme? -+-C in GNU - Le plus dur dans le mariage, c'est d'en sortir vivant -+-