Date: Fri, 18 Oct 2002 00:39:49 -0700 (PDT) From: "Andrew P. Lentvorski" <bsder@mail.allcaps.org> To: Charles Henrich <henrich@sigbus.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <20021018002729.T66900-100000@mail.allcaps.org> In-Reply-To: <20021017162243.B89519@sigbus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You cannot NAT an IPSEC packet. NAT rewrites the IP headers and the packet will get rejected when it reaches the other IPSEC node. You can create forwarding rules which NAT packets destined for other hosts and leave the IPSEC packets alone. You'll have to create an ipfw ruleset. You also probably need to understand the difference between tunnel mode and transport mode in IPSEC. Transport mode is host-to-host. Tunnel mode is network-to-network. (I may have those two backwards) You are trying to do a hybrid; I don't think that is allowed in IPSEC. One of the hardest things for me to get used to in IPSEC was the fact that two machines could actually not talk to one another normally, but could create an IPSEC tunnel. Also, two machines that could actually talk to one another was not sufficient to guarantee that they could set up a tunnel. Good luck, -a To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021018002729.T66900-100000>