Date: Mon, 11 Sep 2006 18:39:22 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: Administrators <mlh@ispinfo.fr> Cc: freebsd-questions@freebsd.org Subject: Re: NAT+IPSEC toubles Message-ID: <4505913A.5020403@locolomo.org> In-Reply-To: <450536E9.2010106@ispinfo.fr> References: <450536E9.2010106@ispinfo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Administrators wrote: > Hi, > > I'm building VPN connected to CISCO device. > > I NEED to translate my LAN adress to a given adress. > > The VPN work well when I try doing > ifconfig em0 alias _given_@_ > ping -S _given_@_ dest_@ > > but I didn't manage to translate LAN adresse AND having VPN used. > > I can pass throug VPN using actual adress but the CISCO endpoint drop it > or I translate, but packets didn't go in the VPN. > > Any idea ? IPSec does not work across NAT. The problem is authenticated headers which simply won't work because it assumes the ip header to be untouched. If you have a natting box this will rewrite the source/destination ip which means that the recipient cannot verify the authencity of the packet. You should be able to get things working without AH. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4505913A.5020403>