Date: Fri, 18 Oct 2002 11:46:46 -0700 From: Jonathan Feally <vulture@consult-scs.com> To: Charles Henrich <henrich@sigbus.com>, freebsd-net@freebsd.org Subject: Re: IPSEC/NAT issues Message-ID: <3DB05716.8080806@consult-scs.com> References: <20021017162243.B89519@sigbus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
As I think about it, it isn't IPSEC that needs to process twice once before and once after ipfw. Its the other way around. IPFW should first allow the ESP packets into the machine, then IPSEC extracted the secured packet, and then IPFW will process the normal packet again, thus allowing the divert to natd to acutally recieve the non-ipsec version of the packet. I did some poking around with the kernel code last night, but can't seem to figure out where to cause a packet that was recieved as IPSEC to go back though ipfw. I'll keep trying. The files I've been looking though are sys/netinet/ip_input.c and sys/netinet/ip_outpuit.c Charles Henrich wrote: >I apologize for not CC'ing originally! > >I have a network/firewall where I want to nat an entire network. However, I >also want nat traffic to one remote host in particular out on the internet to >be IPsec'd as well. > >[A] (10.x) [B] (Nat) [C] (Real IP) > >I've setup IPsec on both machines, and from either machine (B,C) I can ssh to >the other, with ipsec packets all happening happy as a clam. However if try a >connection from behind the nat box to the remote host (A,C) the key exchange >works fine (between B&C), but then no data flows back and forth. Anyone have >any suggestions on this? Thanks! > >-Crh > > Charles Henrich henrich@msu.edu > > http://www.sigbus.com/~henrich > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DB05716.8080806>