Re: [Ipsec-tools-devel] [Q] pf nated packets missing ipsec tunnel ... how to fix?
Brought to you by:
mit_warlord,
netbsd
From: Eric M. <em...@fr...> - 2011-07-29 11:45:42
|
Zeus V Panchenko <ze...@ib...> writes: Hi, > i have studied it and tried all possible (for me) ... still no result You have to nat on your internal interface (lanif) The ipfw nat rule should be of the following form : ipfw add nat 500 all from $lan to $peerlan ipfw nat 500 config if $lanif ip $nated_address reverse Packets from your lan to the peer's lan should now get rewritten with the right source address. You shouldn't need a gif interface, the SPD spdadd $nated_address $peerlan any -P out ipsec \ esp/tunnel/$gw_public-$peergw_public/require; spdadd $peerlan $nated_address any -P in ipsec \ esp/tunnel/$peergw_public-$gw_public/require; should handle the ipsec part of the setup fine. Regarding stacking of ipfw & pf, just load ipfw_nat.ko before pf.ko (it seems loading them in the opposite order will lead to problems). Sorry, all from memory so error prone, I do not operate this kind of setup and do not have any test box available atm. If this fails, feel free to contact freeBSD-net@ (ML) as pf & ipfw knowledgeable persons lurk over there. Regards Éric Masson -- Je suis nouvellement connecté à internet, via cybercable. Je veux savoir si lorsque l'on reste connecté via cybercable, si on paye plus d'électricité ou quelque chose du genre. -+- QV - <http://www.le-gnu.net> - Mettez moi au courant SVP -+- |