NAT+IPSEC toubles
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Mon Sep 11 06:09:30 PDT 2006
On Mon, Sep 11, 2006 at 12:14:01PM +0200, Administrators wrote:
> Hi,
Hi.
> I'm building VPN connected to CISCO device.
>
> I NEED to translate my LAN adress to a given adress.
>
> The VPN work well when I try doing
> ifconfig em0 alias _given_ at _
> ping -S _given_ at _ dest_@
>
> but I didn't manage to translate LAN adresse AND having VPN used.
>
> I can pass throug VPN using actual adress but the CISCO endpoint drop it
> or I translate, but packets didn't go in the VPN.
>
> Any idea ?
The IPSec stack is hooked before NAT process (AFAIK), so it is not
possible to do that on a single box.
It is still possible to do what you want, but you'll have to revert
IPSec and NAT part in ip_input / ip_output sources.
If lots of people are interested in that, I can add "doing a NAT/VPN
order patch" to my TODO list...
Yvan.
--
NETASQ
http://www.netasq.com
More information about the freebsd-net
mailing list