Date: Mon, 16 Jan 2006 13:16:09 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: Przemyslaw Szczygielski <qus2@o2.pl> Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN Message-ID: <20060116121609.GA2769@zeninc.net> In-Reply-To: <20060116101332.8258821401E@rekin14.go2.pl> References: <20060116101332.8258821401E@rekin14.go2.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 16, 2006 at 11:13:32AM +0100, Przemyslaw Szczygielski wrote: > Well, for me the config is so complex, that I doubt anyone will > waste time on going into my config files, but, well... There's > always hope... This is not the first time I saw such configurations requests, and that's why I suggested you to ask on a public ML, because answers will also be available to others. [....] > So to make it short: IPSEC working = no NAT. IPSEC off = NAT working. > > I have attached my config files: ipsec.conf, natd.conf, racoon.conf > and rc.firewall.rules (please don't ask me why do I have ssh on 5901...) Unfortunately, your configuration attachements were filtered. But could you send ("inline" in the mail) at least your SPD configuration ? For what you want, you should have configuration like: spdadd <xp> 0/0 out ESP/tunnel/xp-FreeBSD gate/require ("pseudo setkey" syntax, view from XP host, incoming entry also required, which is reverse). The important points are "ESP" "tunnel" and "0/0" as remote traffic endpoint. On BSD side, you can have reversed spd entries, or use racoon's generate-policy feature. Is that what you have ? Another way of doing things is to use IPSec transport+L2TP, which can looks simpler from Window's side, but which I think is more complex in fact (another encapsulation level). > If you can tell me, what went wrong I'd be very grateful. And I will > surely write a detailed HOWTO for future generations... ;-) Would be welcome, perhaps on FreeBSD's docs, and at least at ipsec-tools website ! Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060116121609.GA2769>