Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Mar 2004 23:12:42 -0800
From:      "Crist J. Clark" <cristjc@comcast.net>
To:        Neil Fenemor <Neil@TS.co.NZ>
Cc:        freebsd-current@freebsd.org
Subject:   Re: IPSec/NAT/Gateway Query
Message-ID:  <20040316071242.GA18433@blossom.cjclark.org>
In-Reply-To: <1079038531.29695.2.camel@acer>
References:  <1079038531.29695.2.camel@acer>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 12, 2004 at 09:55:31AM +1300, Neil Fenemor wrote:
[snip]
> What I'm having an issue, is if the "client" has a range of RFC 1918
> addresses behind it, and I have to introduce NAT into the equation.
> 
> I've best tracked it down to the order that the kernel looks at the
> packets to decide what to do with it.
> 
> This is where I stand at the moment.
> 
> x.y.z.11 -> x.y.z.254             : works perfectly
> x.y.z.11 -> x.y.z.254 -> 0.0.0.0  : works perfectly
> rfc 1918 -> x.y.z.11 -> x.y.z.254 : Fails
> rfc 1918 -> x.y.z.11 -> x.y.z.254 -> 0.0.0.0 : Fails

Why not do IPsec between x.y.z.11 and x.y.z.254 in tunnel mode and do
the NAT on the host with the x.y.z.254 interface?

If you want to do the NAT on x.y.z.11, you can "trick" it to doing NAT
before IPsec by doing some of the ol' gif(4)-IPsec gymnastics.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040316071242.GA18433>