From owner-freebsd-net@FreeBSD.ORG  Fri Mar  7 18:40:13 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7175A25F
 for <freebsd-net@freebsd.org>; Fri,  7 Mar 2014 18:40:13 +0000 (UTC)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com
 [IPv6:2a00:1450:400c:c00::22a])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id EEF28F7A
 for <freebsd-net@freebsd.org>; Fri,  7 Mar 2014 18:40:12 +0000 (UTC)
Received: by mail-wg0-f42.google.com with SMTP id y10so5495234wgg.25
 for <freebsd-net@freebsd.org>; Fri, 07 Mar 2014 10:40:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:from:to:cc:subject:in-reply-to:references:user-agent:date
 :message-id:mime-version:content-type:content-transfer-encoding;
 bh=4VcDNnxbkfN5dmovr58eFRGzIrF9OGQvKUYqkIII5a0=;
 b=f9qOAz1z0MPTydIkzpkjKfHFkLRgxl3gH6Q/iOimRNqT82KLfxkkZOaLCTI1DLF35J
 aPpP5Pnd+OK3aIFAoW+vnv9CdDHn4NdNe+pRA33iIDt7jYvEmFppwdeaAfZ2C4xx/ngv
 2IyTMm+jjlt9Qb20HDaSClIV9v1HvqcghOjP7v+QLJ2FkylDk+Jh5w2InCgojGOEuuyq
 T2HeJ8y2qCHsdtXd9A4eBrtf4aXpCwY+x1Zd2K5nSjgeyApkqCSx7AQKrUqH9YCq2Td3
 w0DjOWKlq93H0GUdD+25abzubk3gBLAoGPPK/MAuPphaqY+K88iLdpG28PCW+4BEnKW5
 tgxA==
X-Received: by 10.194.87.104 with SMTP id w8mr6253495wjz.90.1394217611421;
 Fri, 07 Mar 2014 10:40:11 -0800 (PST)
Received: from srvbsdfenssv.interne.associated-bears.org
 (LCaen-151-92-21-48.w217-128.abo.wanadoo.fr. [217.128.200.48])
 by mx.google.com with ESMTPSA id bj3sm13468932wjb.14.2014.03.07.10.40.10
 for <multiple recipients>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Fri, 07 Mar 2014 10:40:10 -0800 (PST)
Sender: Eric Masson <emss.mail@gmail.com>
Received: from srvbsdfenssv.interne.associated-bears.org (localhost
 [127.0.0.1])
 by srvbsdfenssv.interne.associated-bears.org (Postfix) with ESMTP id
 25860CF240; Fri,  7 Mar 2014 19:40:09 +0100 (CET)
X-Virus-Scanned: amavisd-new at interne.associated-bears.org
Received: from srvbsdfenssv.interne.associated-bears.org ([127.0.0.1])
 by srvbsdfenssv.interne.associated-bears.org
 (srvbsdfenssv.interne.associated-bears.org [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id sxyfHRmGpq0S; Fri,  7 Mar 2014 19:40:07 +0100 (CET)
Received: by srvbsdfenssv.interne.associated-bears.org (Postfix,
 from userid 1001)
 id C5635CF23C; Fri,  7 Mar 2014 19:40:07 +0100 (CET)
From: Eric Masson <emss@free.fr>
To: Philipp Schmid <philipp.schmid@openresearch.com>
Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated
In-Reply-To: <09B6BE02-2F04-41A1-AC0D-9A7943F88086@openresearch.com> (Philipp
 Schmid's message of "Fri, 7 Mar 2014 07:55:22 +0100")
References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org>
 <53193371.4090603@saltant.com>
 <09B6BE02-2F04-41A1-AC0D-9A7943F88086@openresearch.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
X-Operating-System: FreeBSD 9.2-RELEASE-p3 amd64
Date: Fri, 07 Mar 2014 19:40:07 +0100
Message-ID: <86siqtluns.fsf@srvbsdfenssv.interne.associated-bears.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Cc: "John W. O'Brien" <john@saltant.com>,
 Mailing List FreeBSD Network <freebsd-net@FreeBSD.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 18:40:13 -0000

Philipp Schmid <philipp.schmid@openresearch.com> writes:

Hi Philipp,

> FreeBSD 10 seems to have problems with IPSec and filtering/nat.
> Maybe your problem is related to:
>
> 	http://www.freebsd.org/cgi/query-pr.cgi?pr=185876

I've rebuilt a kernel with the last patch available in the PR.
It doesn't work (return nat rule in place).

I think I'll try the following setup on gateway1 :
- IIPTran https://www.ietf.org/rfc/rfc3884.txt (ipip tunnel in transport
  mode)
- outside nat with pf on gif interface

What bothers me is that ipfw reverse nat should work...

Regards

Éric Masson

-- 
 J'ai une dissert' en français : "Trouvez-vous regrettable
 que le camping sauvage soit interdit en France ?"
 Pouvez-vous m'aider, car je n'ai jamais campé !...
 -+- Laure in:<http://www.le-gnu.net>- Youkaidi, youkaida -+-