Re: [Ipsec-tools-devel] [Q] pf nated packets missing ipsec tunnel ... how to fix?
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
Re: [Ipsec-tools-devel] [Q] pf nated packets missing ipsec tunnel ... how to fix?
|
From: Eric M. <em...@fr...> - 2011-07-29 11:45:42
|
Zeus V Panchenko <ze...@ib...> writes:
Hi,
> i have studied it and tried all possible (for me) ... still no result
You have to nat on your internal interface (lanif)
The ipfw nat rule should be of the following form :
ipfw add nat 500 all from $lan to $peerlan
ipfw nat 500 config if $lanif ip $nated_address reverse
Packets from your lan to the peer's lan should now get rewritten with
the right source address.
You shouldn't need a gif interface, the SPD
spdadd $nated_address $peerlan any -P out ipsec \
esp/tunnel/$gw_public-$peergw_public/require;
spdadd $peerlan $nated_address any -P in ipsec \
esp/tunnel/$peergw_public-$gw_public/require;
should handle the ipsec part of the setup fine.
Regarding stacking of ipfw & pf, just load ipfw_nat.ko before pf.ko (it
seems loading them in the opposite order will lead to problems).
Sorry, all from memory so error prone, I do not operate this kind of
setup and do not have any test box available atm.
If this fails, feel free to contact freeBSD-net@ (ML) as pf & ipfw
knowledgeable persons lurk over there.
Regards
Éric Masson
--
Je suis nouvellement connecté à internet, via cybercable. Je veux
savoir si lorsque l'on reste connecté via cybercable, si on paye
plus d'électricité ou quelque chose du genre.
-+- QV - <http://www.le-gnu.net> - Mettez moi au courant SVP -+-
|