Date: Thu, 4 Aug 2011 15:50:55 +0300 From: Zeus V Panchenko <zeus@ibs.dn.ua> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: weird results while ipsec + ipfv_nat (nat before vpn) Message-ID: <20110804125055.GA33376@relay.ibs.dn.ua> In-Reply-To: <20110804145842.E42715@sola.nimnet.asn.au> References: <20110803200113.GC6930@relay.ibs.dn.ua> <20110804145842.E42715@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith (smithi@nimnet.asn.au) [11.08.04 08:44] wrote: > On Wed, 3 Aug 2011, Zeus V Panchenko wrote: > [..] > > Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe > that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both. > > > so, ipsec and ipfw_nat out works, but where are reply packets > > disappearing to after coming to gif0 interface? why no backward > > divert occures? > > Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and > maybe 'ipfw show' to check that all your other rules match ipfw.conf > you are right, ipfw thinks about nat this way: # ipfw nat show config ipfw nat 100 config if bge1 log reverse i have tried both combinations and still no result: 1. with `if' i see `incorrect' (lan ip) traffic on gif0 2. with `ip' i see only ipsec peer replies and no back divert 3. bUt with both options i see the same as in p.2 any further idea? -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110804125055.GA33376>