From owner-freebsd-net@FreeBSD.ORG Sat Mar 8 00:09:56 2014 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0FCFA6FC for ; Sat, 8 Mar 2014 00:09:56 +0000 (UTC) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id D9E2AF69 for ; Sat, 8 Mar 2014 00:09:53 +0000 (UTC) Received: from homiemail-a90.g.dreamhost.com (unknown [69.163.253.185]) by hapkido.dreamhost.com (Postfix) with ESMTP id CF4BF1836A for ; Fri, 7 Mar 2014 15:54:09 -0800 (PST) Received: from homiemail-a90.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTP id 43BCA2AC06A; Fri, 7 Mar 2014 16:09:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=saltant.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to: content-type; s=saltant.com; bh=qlJ/ZCUP+nvlw1hffbKXYl0OdpE=; b= hQY47Hea4SsHjsLU71qlToOawc7AeIli9+V8D1+U1pbhWophcWxdegpv6RpxsdED +E2E8CE4hPF2kuIFwesEzXMhgh7sedPSPLtsMjBoj5ld1OOf0pYDKL+5IZF+iIk0 sunNVi65rs6t+9BhUkzEe+evfcm1PU9oGeH95XniQ3g= Received: from dreck.saltant.net (dreck.saltant.net [72.78.188.150]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: john@saltant.com) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTPSA id E70F72AC059; Fri, 7 Mar 2014 16:09:40 -0800 (PST) Message-ID: <531A5FBF.1000507@saltant.com> Date: Fri, 07 Mar 2014 19:09:35 -0500 From: "John W. O'Brien" Organization: Saltant Solutions User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Eric Masson , Philipp Schmid Subject: Re: [FreeBSD 10.0] nat before vpn, incoming packets not translated References: <868uu4rshh.fsf@srvbsdfenssv.interne.associated-bears.org> <53193371.4090603@saltant.com> <09B6BE02-2F04-41A1-AC0D-9A7943F88086@openresearch.com> <86siqtluns.fsf@srvbsdfenssv.interne.associated-bears.org> In-Reply-To: <86siqtluns.fsf@srvbsdfenssv.interne.associated-bears.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cWGLsBurP5GE5HbDv99LDvLcEu5PJCB4p" Cc: Mailing List FreeBSD Network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Mar 2014 00:09:56 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --cWGLsBurP5GE5HbDv99LDvLcEu5PJCB4p Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 3/7/14 1:40 PM, Eric Masson wrote: > Philipp Schmid writes: >=20 > Hi Philipp, >=20 >> FreeBSD 10 seems to have problems with IPSec and filtering/nat. >> Maybe your problem is related to: >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D185876 >=20 > I've rebuilt a kernel with the last patch available in the PR. > It doesn't work (return nat rule in place). >=20 > I think I'll try the following setup on gateway1 : > - IIPTran https://www.ietf.org/rfc/rfc3884.txt (ipip tunnel in transpor= t > mode) > - outside nat with pf on gif interface >=20 > What bothers me is that ipfw reverse nat should work... I haven't done the mind meld with "reverse" yet. Could you comment on why you need to operate in a reversed NAT environment? What is it that's being reversed, and how does that apply to your use case? Regards, John --cWGLsBurP5GE5HbDv99LDvLcEu5PJCB4p Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJTGl/FAAoJEBRzAKlhyP/F1xEIAMBRimMHSUueti5n8+Wl/7yb EdckI1x5W0+We4Egr/Syjq6vCpWitKpyVpv/M0Ud0+feOXJiCaOGY9LMtgcntINg 1W9OofYDI1VmLjvHi5VTtc5L/k108pa79wuBkZtRr7qD3QvgRTBZLe7PAea/C7h4 BJXrEBKgF14vr83emt/6dNC2mlYlwrgfPu5ZDftITQ3sjr+kjyJtoiLQHPESBC9B amW9P8EELBC+Sg75PdajaZcEigw8rtHnluTUF1FewnL2MgiAnLNxJT5GjavJH73W q9ZzFU35KtRZuPVWGSY5euhuUQ9vTIKejqeZVEERCj3FyVvAtwG+/RiXa6YwHGo= =t2dU -----END PGP SIGNATURE----- --cWGLsBurP5GE5HbDv99LDvLcEu5PJCB4p--