From owner-freebsd-net  Wed Aug  9  6:58:11 2000
Delivered-To: freebsd-net@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id 8023F37B999
	for <freebsd-net@FreeBSD.ORG>; Wed,  9 Aug 2000 06:58:08 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id JAA18502;
	Wed, 9 Aug 2000 09:58:08 -0400 (EDT)
	(envelope-from wollman)
Date: Wed, 9 Aug 2000 09:58:08 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200008091358.JAA18502@khavrinen.lcs.mit.edu>
To: Benjamin Gavin <virtual_olympus@yahoo.com>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: NATD and non-UDP/TCP packets
In-Reply-To: <20000809023338.12896.qmail@web311.mail.yahoo.com>
References: <20000809023338.12896.qmail@web311.mail.yahoo.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Tue, 8 Aug 2000 19:33:38 -0700 (PDT), Benjamin Gavin <virtual_olympus@yahoo.com> said:

>   Hmmmm...  I may be going braindead (P.S.  What's an SA?), but will this

Security Association.  IPSEC cryptographic parameters are indexed on
both endpoints using the tuple <source-IP,dest-IP,SAID>, so if you
change either address you have irretrievably corrupted the packet.
(The fact that IPSEC can't be NAT'ed is considered by many people to
be a Good Thing.)

> be possible on the same firewall box??  How will the routing work, even
> assuming I can get the proper clients for FreeBSD? (Now: I've thought
> about it more, and do you mean setting up a server-server tunnel, then
> routing traffic through it and not having the clients have tunnel software
> installed??  I'm not concerned about the traffic on the local nets, just
> across the internet.  I've done that type of thing before, but I don't
> know if it will apply to this problem :( ).

I can't parse this.

>   It may be appropriate to include (which I missed in my original message)
> that I am running FreeBSD 3.5-STABLE (mentioned earlier), and that I
> am

You'll need the KAME kit for FreeBSD 3.5 in order to terminate an
IPSEC tunnel there.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message