On Thu, 17 Oct 2002, Jonathan Feally wrote: > > I think a solution to the problem would be to have ipsec processing take > place both before and after ipfw(or ipf). > Somebody else though will have to figure out how to make a custom kernel > to do double ipsec processing because I'm not a C programmer. > > Hope somebody can make it happen, for both of us. > - Jonathan > > Charles Henrich wrote: > > >I've run across your postings in the FreeBSD mailing lists, and it looks like > >your trying to do what I am trying to do. I was wondering if you had solved > >it? That is, I have a nat'd network, and I want packets from any host on the > >inside of the network to be ESP encapsilated after nat translation to one > >particular host outside the network. It looks like it works, kinda. Packets > >hit the gateway, are nat'd, are ESP encapsilated, and sent on their merry way. > >Racoon even does a proper key exchange. On the return path however, the > >packed is unencapsilated, but nat seems to refuse to reverse the natting? > >Were you able to solve this problem? > > > >Thanks for any advice! > >
I don't let IPSEC packets be processed by natd through the divert socket, in fact I use ipfw skipto rules: 00100 skipto 65535 ip from 66.80.117.2 to 64.14.48.150 00200 skipto 65535 ip from 64.14.48.150 to 66.80.117.2 00300 skipto 65535 ip from 10.80.116.0/23 to 10.0.0.0/24 00400 skipto 65535 ip from 10.0.0.0/24 to 10.80.116.0/23 00500 divert 8668 ip from any to any via fxp0 65535 allow ip from any to any It works well. -Trish -- Trish Lynch [EMAIL PROTECTED] Ecartis Core Team [EMAIL PROTECTED] EFNet IRC Oper @ efnet.dkom.at AilleCat@EFNet UNIXNet IRC Admin @ femme.ipv6.sapphite.org AilleCat@UNIXNet Key fingerprint = C44E 8E63 6E3C 18BD 608F E004 9DC7 C2E9 0E24 DFBD To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
