From owner-freebsd-net Tue Aug 8 19:34:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from web311.mail.yahoo.com (web311.mail.yahoo.com [216.115.105.76]) by hub.freebsd.org (Postfix) with SMTP id D3A0537B85E for ; Tue, 8 Aug 2000 19:34:27 -0700 (PDT) (envelope-from virtual_olympus@yahoo.com) Message-ID: <20000809023338.12896.qmail@web311.mail.yahoo.com> Received: from [209.103.207.168] by web311.mail.yahoo.com; Tue, 08 Aug 2000 19:33:38 PDT Date: Tue, 8 Aug 2000 19:33:38 -0700 (PDT) From: Benjamin Gavin Subject: Re: NATD and non-UDP/TCP packets To: Ruslan Ermilov Cc: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm responding to both of these responses (Mostly because then I can keep my thoughts a little more coherent), so bear with me :). First: --- Ruslan Ermilov wrote: > > these functions, or is there any possibility that these protocols will > be > > included in future NATD versions? > > > You can redirect a particular IP protocol with -redirect_proto rule, or > any protocol with -redirect_address rule. > I'm using 3.5-STABLE, and this "redirect_proto" doesn't exist in natd. Is this an old/deprecated feature, or a new feature of 4.0+?? Does the redirect_proto command (assuming I can use it :) ) only allow for redirection to a single host, or will is perform standard nat on any protocol (sans port)? The redirect_address is not an acceptable solution. The reason I ask is because of the second response I got, which is what I was expecting (and hoping wasn't the case). > Please refer to libalias(3) manual page, section CONCEPTUAL BACKGROUND, > for > more details. Thanks, I'll take a look. -------- Reply to second message >> What are the fundamental differences between ESP/AH and TCP/UDP? > Are >> they inherently more complicated to translate, > >They are designed to be cryptographically secure, and hence, >impossible to NAT. If you want to do NAT, you'll have to terminate >the SAs at the boundary and create an appropriate new set for the >``public'' side. > >-GAWollman Hmmmm... I may be going braindead (P.S. What's an SA?), but will this be possible on the same firewall box?? How will the routing work, even assuming I can get the proper clients for FreeBSD? (Now: I've thought about it more, and do you mean setting up a server-server tunnel, then routing traffic through it and not having the clients have tunnel software installed?? I'm not concerned about the traffic on the local nets, just across the internet. I've done that type of thing before, but I don't know if it will apply to this problem :( ). It may be appropriate to include (which I missed in my original message) that I am running FreeBSD 3.5-STABLE (mentioned earlier), and that I am trying to get the Cisco SafeNet VPN client (yes, I would prefer something else, but I don't have a choice) working from behind it. Cisco doesn't seem to know whether this combination will work (at least none of their on-line docs say it won't), so I am optimistically assuming it can be done. Any creative ideas (and I'm not against hacking the natd daemon)?? Of course, I would prefer if someone had gotten it working and that they just share their secrets :). Thanks, Ben __________________________________________________ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message