Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Apr 2006 17:50:39 -0700 (PDT)
From:      Kelly Yancey <kbyanc@posi.net>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: tcpdump and ipsec
Message-ID:  <20060417173122.V293@gateway.posi.net>
In-Reply-To: <20060417192638.U13011@maildrop.int.zabbadoz.net>
References:  <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc> <20060331223613.GD80492@spc.org> <20060402130227.G99958@atlantis.atlantis.dp.ua> <20060402113516.D76259@maildrop.int.zabbadoz.net> <20060402151039.R51461@atlantis.atlantis.dp.ua> <20060411153224.L55107@gateway.posi.net> <20060411213528.F13011@maildrop.int.zabbadoz.net> <20060413155210.R73176@gateway.posi.net> <20060417192638.U13011@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 17 Apr 2006, Bjoern A. Zeeb wrote:

> On Thu, 13 Apr 2006, Kelly Yancey wrote:
>
> > I'm curious: how are you performing NAT on your tunnelled traffic?
>
> the answer is simple: do not NAT on the ipsec interface though it's
> not fully correct because I do even NAT traffic that goes like:
>
> A ---- lan1(ipsec only) --- gw(NAT) --- lan2(ipsec only) ---- B
>
> [ipsec only == esp and ike allowed]
>
> so the better explanation perhaps is:
> do not nat on the ipsec interface of the outgoing direction.
>

  "When all you have is a hammer, everything looks like a nail" :)

  In our case, we couldn't use that hack because we have multiple
interfaces, each with its own NAT config.  We have to run natd on the
interface that the traffic is traversing.  With the enc interface, we
can handle packets inside the tunnel separate from the tunnel traffic
itself without resorting to gymnastics.
  If I had time I'd integrate PR 94829 myself, but it looks like I'm
going to have my hands full for a couple of months. :|  We'll see if
anyone else picks it up in the meantime...

  Kelly

-- 
Kelly Yancey  -  kbyanc@{posi.net,FreeBSD.org}  -  kelly@nttmcl.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060417173122.V293>