I've had some success with IPSEC/IPFW and NATD.
The problem lies in the kernel, ipsec and ipfw ordering of where the packets flow.
What you are trying to do - makes perfect sense. But the kerenl is screwing you up.
I took and duplicated your problem using a 4.6.2-R Machine with a Lan behind it and a 4.4-R machine.
So here lies the problem:
The outgoing packets from the lan get nat-ed and then ipsec-ed.
The incoming packets are ipsec-ed but don't pass to natd as a regular packet. because ipsec takes place after ipfw.
I think a solution to the problem would be to have ipsec processing take place both before and after ipfw(or ipf).
Somebody else though will have to figure out how to make a custom kernel to do double ipsec processing because I'm not a C programmer.
Hope somebody can make it happen, for both of us.
- Jonathan
Charles Henrich wrote:
I've run across your postings in the FreeBSD mailing lists, and it looks like
your trying to do what I am trying to do. I was wondering if you had solved
it? That is, I have a nat'd network, and I want packets from any host on the
inside of the network to be ESP encapsilated after nat translation to one
particular host outside the network. It looks like it works, kinda. Packets
hit the gateway, are nat'd, are ESP encapsilated, and sent on their merry way.
Racoon even does a proper key exchange. On the return path however, the
packed is unencapsilated, but nat seems to refuse to reverse the natting?
Were you able to solve this problem?
Thanks for any advice!
-Crh
Charles Henrich Eon Entertainment [EMAIL PROTECTED]
http://www.sigbus.com/~henrich
To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
