Date: Thu, 11 Jan 2001 12:56:21 +0000 From: Josef Karthauser <joe@tao.org.uk> To: itojun@iijlab.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Interaction problem with IKE (racoon) and ipfw divert natd? Message-ID: <20010111125621.F3594@tao.org.uk> In-Reply-To: <29596.979217266@coconut.itojun.org>; from itojun@iijlab.net on Thu, Jan 11, 2001 at 09:47:46PM %2B0900 References: <20010111124510.D3594@tao.org.uk> <29596.979217266@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 11, 2001 at 09:47:46PM +0900, itojun@iijlab.net wrote: > > >Strangely... if I move the 'allow udp from ME isakmp to HIM isakmp' to > >before the 'divert 8668 ip from any to any via fxp1' rule the packet > >does go out on the wire! > >I wonder whether this is a bug with natd. > >Both machines are round about RELENG_4 (far end HIM jan 4th, this end ME > >jan 10th). > >Any ideas how I can track this down? > > i have no idea. i think natd captures the outgoing packets and then > drops them onto the floor or something like that. > we (as kame guys) almost never use ipfw/ipnat, as ipsec is inherently > not friendly with them. Hmm, you're also using IPv6 aren't you, so that makes things easier in terms of space allocation. My guess here is that natd is corrupting something as it sees the packet. Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010111125621.F3594>