IPFW should first allow the ESP packets into the machine, then IPSEC extracted the secured packet, and then IPFW will process the normal packet again, thus allowing the divert to natd to acutally recieve the non-ipsec version of the packet.
I did some poking around with the kernel code last night, but can't seem to figure out where to cause a packet that was recieved as IPSEC to go back though ipfw. I'll keep trying.
The files I've been looking though are sys/netinet/ip_input.c and sys/netinet/ip_outpuit.c
Charles Henrich wrote:
I apologize for not CC'ing originally!
I have a network/firewall where I want to nat an entire network. However, I
also want nat traffic to one remote host in particular out on the internet to
be IPsec'd as well.
[A] (10.x) [B] (Nat) [C] (Real IP)
I've setup IPsec on both machines, and from either machine (B,C) I can ssh to
the other, with ipsec packets all happening happy as a clam. However if try a
connection from behind the nat box to the remote host (A,C) the key exchange
works fine (between B&C), but then no data flows back and forth. Anyone have
any suggestions on this? Thanks!
-Crh
Charles Henrich [EMAIL PROTECTED]
http://www.sigbus.com/~henrich
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
