Date: Mon, 11 Sep 2006 15:09:19 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: NAT+IPSEC toubles Message-ID: <20060911130919.GA23541@zen.inc> In-Reply-To: <450536E9.2010106@ispinfo.fr> References: <450536E9.2010106@ispinfo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 11, 2006 at 12:14:01PM +0200, Administrators wrote: > Hi, Hi. > I'm building VPN connected to CISCO device. > > I NEED to translate my LAN adress to a given adress. > > The VPN work well when I try doing > ifconfig em0 alias _given_@_ > ping -S _given_@_ dest_@ > > but I didn't manage to translate LAN adresse AND having VPN used. > > I can pass throug VPN using actual adress but the CISCO endpoint drop it > or I translate, but packets didn't go in the VPN. > > Any idea ? The IPSec stack is hooked before NAT process (AFAIK), so it is not possible to do that on a single box. It is still possible to do what you want, but you'll have to revert IPSec and NAT part in ip_input / ip_output sources. If lots of people are interested in that, I can add "doing a NAT/VPN order patch" to my TODO list... Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060911130919.GA23541>