From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 4 12:51:00 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8977106564A for ; Thu, 4 Aug 2011 12:51:00 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 2FF328FC0C for ; Thu, 4 Aug 2011 12:50:59 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p74Covwc089682; Thu, 4 Aug 2011 15:50:57 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p74Cotc7089677; Thu, 4 Aug 2011 15:50:55 +0300 (EEST) Date: Thu, 4 Aug 2011 15:50:55 +0300 From: Zeus V Panchenko To: Ian Smith Message-ID: <20110804125055.GA33376@relay.ibs.dn.ua> References: <20110803200113.GC6930@relay.ibs.dn.ua> <20110804145842.E42715@sola.nimnet.asn.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110804145842.E42715@sola.nimnet.asn.au> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U wOT+RcGxziJxEN0lIAAABrklEQVQokV2STXLbMAyFQaraE3a5dzSTfR1IF7CQrM3QuECn9z9DH0 gxzgSyFvr88PBD0uJxoR6BE+e8LtRgohE5ZB50sODP/REbfUnte/z12+llCekLUSKenFIMke6Be WinE8H0RJHSN71rUQp64gFDmtDDhRk0zam3FzpNVFprhwPGaFo6oY9wDBJQ9Qz6EuKyROJjDGa+ uza4VOTa8iHlN58Yv5BF9+4BGl0LA5pUD5xKXg4aQlVZm0co3NKxCGxQpu3aC352Gv3DZONmwQd tkrlaylV3YSew7bWtwAZF/zi9jblmprPoL7ktzeFSxmarVNmWRi+Bmxg7Y7tbGtR8XZUxLTo86G thANsssetjp3POuBvMBRlw6jRa5pKN7yVlP+F2lyiZGSMf5hnSU6eAVupmtfjRcxy0momwpxDnz 06hwnOWvBnUdR8U2/KX7cq26u1Jy5xFZMPOVONRbRUrwey8Qar6cWgf12xSymQuVX0DfYd4R8kN Hg0qCtLeaYZcj8B90M2N0cEX1P0vKSxw7NLy/3X8Qeriusu66jNA37P4Mn5QRTG2hz4d9D/6E3a EX852nwAAAABJRU5ErkJggg== Cc: freebsd-ipfw@freebsd.org Subject: Re: weird results while ipsec + ipfv_nat (nat before vpn) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2011 12:51:00 -0000 Ian Smith (smithi@nimnet.asn.au) [11.08.04 08:44] wrote: > On Wed, 3 Aug 2011, Zeus V Panchenko wrote: > [..] > > Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe > that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both. > > > so, ipsec and ipfw_nat out works, but where are reply packets > > disappearing to after coming to gif0 interface? why no backward > > divert occures? > > Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and > maybe 'ipfw show' to check that all your other rules match ipfw.conf > you are right, ipfw thinks about nat this way: # ipfw nat show config ipfw nat 100 config if bge1 log reverse i have tried both combinations and still no result: 1. with `if' i see `incorrect' (lan ip) traffic on gif0 2. with `ip' i see only ipsec peer replies and no back divert 3. bUt with both options i see the same as in p.2 any further idea? -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET)