Re: IPSec, nat on enc device
Hi all.
On Mon, Oct 19, 2009 at 05:32:14PM +0200, Eric Masson wrote:
[]
> I know ;) I'll bug them regarding ${suject} as well (some ipsec-tools
> devs lurk there too)
Do you think so ? :-D
> I'm not sure that pf & ipsec stack already support this feature. Maybe
> bz@ or vanhu@ will shed a light on this point.
This is a way to do that, but it needs some stuff on both kernel and
userland to be implemented that way.
Another way to have this feature is to implement what we call "NAT
before VPN": you can configure your kernel (or do it for specific NAT
rules if you want to do a more flexible implementation) to do NAT
process before doing IPsec stuff.
Then, you just write your NAT rules to move local/remote traffic
endpoints to distinct networks, and IPsec (both in kernel and
userland) will just have to deal with those NATed networks.
OpenBSD's way of doing things seems interesting while reading very
quickly your link, I'll have to take some more time to really see
exactly what they are doing.
Yvan.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: kern/146190: [ipsec][patch] NAT traversal does not work in transport mode
Synopsis: [ipsec][patch] NAT traversal does not work in transport mode Responsible-Changed-From-To: freebsd-net->vanhu Responsible-Changed-By: vanhu Responsible-Changed-When: Mon May 3 07:57:47 UTC 2010 Responsible-Changed-Why: Taking it, I'll also handle userland (racoon) part. http://www.freebsd.org/cgi/query-pr.cgi?pr=146190 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: kern/124609: [ipsec] [panic] ipsec 'remainder too big' panic with ping -s 3989
Synopsis: [ipsec] [panic] ipsec 'remainder too big' panic with ping -s 3989 Responsible-Changed-From-To: freebsd-net->vanhu Responsible-Changed-By: vanhu Responsible-Changed-When: Fri Dec 26 21:42:15 UTC 2008 Responsible-Changed-Why: We are currently tracking down the same problem. http://www.freebsd.org/cgi/query-pr.cgi?pr=124609 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: kern/129904: [vlan] [panic] kernel crash in "ifconfig destroy"
Synopsis: [vlan] [panic] kernel crash in "ifconfig destroy" State-Changed-From-To: open->feedback State-Changed-By: vanhu State-Changed-When: Wed Dec 31 15:38:46 UTC 2008 State-Changed-Why: Your problem seems to be the same as described in kern/126850. It has been fixed in TRUNK by jfv@ and I MFCed it for FreeBSD 7.1-RC2. Please try again with RC2 and confirm us that it also fixes your issue. Responsible-Changed-From-To: freebsd-net->vanhu Responsible-Changed-By: vanhu Responsible-Changed-When: Wed Dec 31 15:38:46 UTC 2008 Responsible-Changed-Why: Your problem seems to be the same as described in kern/126850. It has been fixed in TRUNK by jfv@ and I MFCed it for FreeBSD 7.1-RC2. Please try again with RC2 and confirm us that it also fixes your issue. http://www.freebsd.org/cgi/query-pr.cgi?pr=129904 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: kern/88336: [ipsec] [patch] setkey(8) -D fails to report all SAs
Synopsis: [ipsec] [patch] setkey(8) -D fails to report all SAs Responsible-Changed-From-To: freebsd-net->vanhu Responsible-Changed-By: vanhu Responsible-Changed-When: Tue Feb 10 08:39:39 UTC 2009 Responsible-Changed-Why: Alraedy working on the problem for ipsec-tools, on which a similar patch has been added as a first workaround. http://www.freebsd.org/cgi/query-pr.cgi?pr=88336 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
