Ian, Ian Cartwright wrote: > > As I understand it, so long as the local tunnel endpoint is the external > interface of the local gateway, the encapsulated traffic should already > look like it is coming from the external interface and should not be > NATed (while the traffic inside the tunnel looks like it is coming from > my local RFC1918 network).
Yes, the tunnel should go between the external addresses. But your NAT
is still causing a problem. Consider this packet, send from a host on
your local network to a host behind the remote tunnel end:
| 192.168.0.10->200.200.200.20 | Data |
When it reaches your local security gateway, there are two choices:
(1) NAT gets the packet first, in which case it will be translated into
| 100.100.100.1->200.200.200.20 | Data |
(2) IPsec gets the packet first, in which case it will be encapsulated
(## is the IPsec header):
| 100.100.100.1->200.200.201.1 ## 192.168.0.10->200.200.200.20 | Data |
If the second case occurs, your current SA should already cause this
to happen.
> It is also my understanding that IPFILTER
> sees the traffic before the rest of the kernel (i.e. KAME) and may do
> the NATing before it enters the IPSec tunnel, thus munging the works
> entirely. This does not bode well.
That is your problem, I think. IPfilter goes first, and your current SA
does not match the NAT'ed packet.
Try changing your SA so that the selector matches the packet under (1)
above, so the final packet would look like
| 100.100.100.1->200.200.201.1 ## 100.100.100.1->200.200.200.20 | Data |
This is moderately ugly, since we're using the same address in the inner
and outer header, but that's what you get for using NATs... Note that
there's a good chance that the IPsec implementation on either side will
balk at this.
> Was my original assumption correct, that as long as the tunnel is
> specified correctly in the SPD, that the routing will happen
> automgically?
Yes. Once the correct SA is in place, forwarding over the tunnel should
happen.
Lars
--
Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature
