Date: Mon, 21 Oct 2002 10:33:23 +0200 From: Guido van Rooij <guido@gvr.org> To: Lars Eggert <larse@ISI.EDU> Cc: Charles Henrich <henrich@sigbus.com>, freebsd-net@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021021083323.GA27359@gvr.gvr.org> In-Reply-To: <3DAF5C21.6000108@isi.edu> References: <20021017162243.B89519@sigbus.com> <3DAF509C.6030002@isi.edu> <20021017172905.A91625@sigbus.com> <3DAF5C21.6000108@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 17, 2002 at 05:56:01PM -0700, Lars Eggert wrote: > > Your packets don't seem to reach natd after IPsec inbound processing. > > Looks like ipfw processing happens before IPsec (so natd sees the > IPsec'ed packets, but doesn't know anything about them), and gets thems > them after IPsec inbound processing. What you want is a way to do IPsec > first, and then ipfw processing, but I don't know if that can be done. > > Try configuring an IPIP tunnel between B and C, and transport-mode IPsec > that. That way, your NAT packets get tunneled, and the tunneled packets > secured. On inbound, security processing comes first, then > decapsulation, then ipfw. Only with the following patch: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c.diff?r1=1.213&r2=1.214 -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021021083323.GA27359>