> > I have a network/firewall where I want to nat an entire network. However,
> > I also want nat traffic to one remote host in particular out on the
> > internet to be IPsec'd as well.
> >
> > [A] (10.x) [B] (Nat) [C] (Real IP)
>
> There was a thread on -hackers named "VPN Routing through gif (4) tunnel" a
> few weeks ago that dealt with a very similar issue.
I've looked through those, and it doesnt quite seem to apply? What im doing
is transport mode ESP between my nat gateway and the remote host. this works
properly. in my firewall rules I have
allow esp packets to and from remote host
divert to nat
Now from host A, if I try a connection to IP C, then on the gateway I see
racoon fire up and establish a working IPSEC path between B&C. Further it
looks like it properly encapsulates the packets and forwards them on to host
C, which appears to properly respond to them. On host B, they are unencrypted
and for some reason they do not make a path into natd for un-natting.
The nat daemon does not log any rejections of the packet, however in my kernel
log, I see a
Oct 17 17:23:51 dmz /kernel: Connection attempt to TCP B:3283 from C:22
Is the esp mucking with the in/out interface perhaps?
If Im logged into host B, I can connect to Host C succesfully using the
transport mode connection no problem. Its just this last little bit of natd
not processing the packets. Im thinking im doing something silly. but I cant
see what.
-Crh
Charles Henrich [EMAIL PROTECTED]
http://www.sigbus.com/~henrich
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
