Date: Thu, 17 Oct 2002 17:29:05 -0700 From: Charles Henrich <henrich@sigbus.com> To: Lars Eggert <larse@ISI.EDU> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021017172905.A91625@sigbus.com> In-Reply-To: <3DAF509C.6030002@isi.edu>; from larse@ISI.EDU on Thu, Oct 17, 2002 at 05:06:52PM -0700 References: <20021017162243.B89519@sigbus.com> <3DAF509C.6030002@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I have a network/firewall where I want to nat an entire network. However, > > I also want nat traffic to one remote host in particular out on the > > internet to be IPsec'd as well. > > > > [A] (10.x) [B] (Nat) [C] (Real IP) > > There was a thread on -hackers named "VPN Routing through gif (4) tunnel" a > few weeks ago that dealt with a very similar issue. I've looked through those, and it doesnt quite seem to apply? What im doing is transport mode ESP between my nat gateway and the remote host. this works properly. in my firewall rules I have allow esp packets to and from remote host divert to nat Now from host A, if I try a connection to IP C, then on the gateway I see racoon fire up and establish a working IPSEC path between B&C. Further it looks like it properly encapsulates the packets and forwards them on to host C, which appears to properly respond to them. On host B, they are unencrypted and for some reason they do not make a path into natd for un-natting. The nat daemon does not log any rejections of the packet, however in my kernel log, I see a Oct 17 17:23:51 dmz /kernel: Connection attempt to TCP B:3283 from C:22 Is the esp mucking with the in/out interface perhaps? If Im logged into host B, I can connect to Host C succesfully using the transport mode connection no problem. Its just this last little bit of natd not processing the packets. Im thinking im doing something silly. but I cant see what. -Crh Charles Henrich henrich@msu.edu http://www.sigbus.com/~henrich To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021017172905.A91625>