IPSec, nat on enc device
emss at free.fr
Sat Oct 24 08:35:54 UTC 2009
"Bjoern A. Zeeb" <bz at FreeBSD.org> writes:
> What I said before and will repeat is that if you want to use NAT and
> VPN you want to do inside NAT (addmittingly handling the local machine
> is a different story). I have done that years ago with ipfw. Then your
> SA works on the NAT IP. I used it to avoid formerly RFC1918 address
> collisions by NATing to an unrouted public IP for just the VPNs.
> THe NAT IP will not be bound to any interface at all.
Ok, I've never used ipfw so shot in the dark.
If I had to nat 192.168.85.0/24 to 10.0.0.1 to access 192.168.201.0/24,
I would have to setup the following :
ipfw add divert natd all from 192.168.85.0/24 to 192.168.201.0/24 in
natd -alias_address 10.0.0.1
setkey -c << EOD
spdadd 10.0.0.1/32 192.168.201.0/24 any -P out ipsec
spdadd 192.168.201.0/24 10.0.0.1/32 any -P in ipsec
Does it seem reasonable or do I miss something ?
> There is a reason major vendors have been doing inside and outside NAT
> for ages now. That pf cannot do that is bad and a design problem there.
Ok, thanks for you explanations.
Je ne reçoit plus de messages de la mailing-list des nordistes.
-+- SG in: GNU - Un ch'ti coup d'fufe pour la route ? -+-
More information about the freebsd-net