Date: Thu, 4 Aug 2011 15:22:38 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Zeus V Panchenko <zeus@ibs.dn.ua> Cc: freebsd-ipfw@freebsd.org Subject: Re: weird results while ipsec + ipfv_nat (nat before vpn) Message-ID: <20110804145842.E42715@sola.nimnet.asn.au> In-Reply-To: <20110803200113.GC6930@relay.ibs.dn.ua> References: <20110803200113.GC6930@relay.ibs.dn.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 3 Aug 2011, Zeus V Panchenko wrote:
[..]
I can't comment on your ipsec setup at all, but:
> > cat /etc/ipfw.conf
> ...
>
> add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
> add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
> add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
> add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x
>
> add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
> nat 100 config log if bge1 ip b.b.b.1 reverse
Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe
that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both.
> so, ipsec and ipfw_nat out works, but where are reply packets
> disappearing to after coming to gif0 interface? why no backward
> divert occures?
Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and
maybe 'ipfw show' to check that all your other rules match ipfw.conf
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110804145842.E42715>