Date: Thu, 28 Oct 2004 20:17:30 -0700 From: Aaron Nichols <adnichols@gmail.com> To: "Nickolay A. Kritsky" <nkritsky@star-sw.com> Cc: freebsd-net@freebsd.org Subject: Re: Problems with NAT on gif interface for VPN Message-ID: <ac05538404102820171b7b5771@mail.gmail.com> In-Reply-To: <62721446609.20041028214724@star-sw.com> References: <ac0553840410281038224213b@mail.gmail.com> <62721446609.20041028214724@star-sw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Oct 2004 21:47:24 +0400, Nickolay A. Kritsky <nkritsky@star-sw.com> wrote: > Hello Aaron, > > Please make sure that you have option IPSEC_FILTERGIF in your kernel. > See LINT and -net archives for more details. Thanks for the hint - and that makes more sense, however I think I'm still in the same position. Rather than a "problem" with ipfw however, I think I've got a fundamental problem with how to do this. If I understand correctly, in order for natd to "reverse" a divert rule (translate the destination IP back to the original IP on return traffic) the packet has to come through the same interface it was originally seen by natd on - is this correct? For whatever reason I still seem to be unable to use gif0 for this purpose, which seems to be the closest thing to an "ipsec interface" available (I'm beginning to think it's nowhere near as useful as enc0 on OpenBSD). Thus, I'm stuck translating packets when they either enter the LAN interface or leave the WAN, the former seems the best option. The problem I have however, is that if I apply the divert rule on vr0 (LAN) then the return traffic is never transmitted out vr0 and thus never gets translated back (I assume it's dropped somewhere earlier in the process). I tried using a 'fwd' rule to push return traffic out vr0 on the return trip but that seems to have been fruitless. On Cisco routers I know you can do some interesting nat tricks by using policy routing and forcing VPN traffic to an intermediate loopback interface so that all VPN traffic goes in/out the same interface before being delivered to its ultimate destination. Can I do something similar on FreeBSD? For example: Lan to Remote site: PC -> vr0 -> some_int0 -> ipsec -> xl0 ... Remote site reponse traffic: xl0 -> ipsec -> some_int0 -> vr0 -> PC Thus, all traffic would go in/out of 'some_int0' and I could apply divert rules there correctly. I apologize if this doesn't make any sense to those who understand the system - evidently I don't have a strong enough understand of the processing order to piece this together myself. At this point I think the relevant question is - does anyone know if this is possible and have any pointers to a working configuration? Thanks again for your time and patience. Aaron
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac05538404102820171b7b5771>