tcpdump and ipsec
Kelly Yancey
kbyanc at posi.net
Mon Apr 17 23:42:54 UTC 2006
On Mon, 17 Apr 2006, Bjoern A. Zeeb wrote:
> On Thu, 13 Apr 2006, Kelly Yancey wrote:
>
> > I'm curious: how are you performing NAT on your tunnelled traffic?
>
> the answer is simple: do not NAT on the ipsec interface though it's
> not fully correct because I do even NAT traffic that goes like:
>
> A ---- lan1(ipsec only) --- gw(NAT) --- lan2(ipsec only) ---- B
>
> [ipsec only == esp and ike allowed]
>
> so the better explanation perhaps is:
> do not nat on the ipsec interface of the outgoing direction.
>
"When all you have is a hammer, everything looks like a nail" :)
In our case, we couldn't use that hack because we have multiple
interfaces, each with its own NAT config. We have to run natd on the
interface that the traffic is traversing. With the enc interface, we
can handle packets inside the tunnel separate from the tunnel traffic
itself without resorting to gymnastics.
If I had time I'd integrate PR 94829 myself, but it looks like I'm
going to have my hands full for a couple of months. :| We'll see if
anyone else picks it up in the meantime...
Kelly
--
Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly at nttmcl.com
More information about the freebsd-net
mailing list