nat before ipsec ...
Ermal Luçi
eri at freebsd.org
Wed Dec 25 21:35:48 UTC 2013
Hello,
just use the ipsec-tools port from here
https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/ipsec-tools-0.8.1
.
You need to specify the sainfo with original subnet in braces the natted
subnet and the remote subnet.
Than enter spd policies related to local network and remote for out and
natted subnet and remote subnet for in.
Also create whatever nat/rdr/binat rules with pf on the enc interface.
Its almost the same solution as here
http://undeadly.org/cgi?action=article&sid=20090127205841
but in this case racoon was modified to accept the syntax for the natted
subnet and the different polcies for in and out are not a problem in
FreeBSD.
The easy other way is setup a pfSense VM create your config from the GUI
and get the relevant configs in /var/etc/ipsec.
On Wed, Dec 25, 2013 at 10:12 PM, Bjoern A. Zeeb <
bzeeb-lists at lists.zabbadoz.net> wrote:
> On Wed, 25 Dec 2013, Zeus Panchenko wrote:
>
> wishmaster <artemrts at ukr.net> wrote:
>>
>> If I understand you correctly, you want binat inside IPSec and
>>>
>>
> that would not really work as policies wouldn't match easily.
>
>
>
> I'm not sure ... what I want is to nat packets from net A before they
>> are entering IPSec, as if they originate not on the freebsd host
>>
>> so, they enters IPSec already as net B packets ...
>>
>
> If nothing has changed and no one implemented inside NAT for pf (or
> ported it) it cannot do it; I used to do it with ipfw ages ago, but
> back then it still required a third policy if I remember correctly.
> There should be some posting from me on net@ or ipfw@ from sometime in
> the last decade.
>
> /bz
>
> --
> Bjoern A. Zeeb ????????? ??? ??????? ??????:
> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
--
Ermal
More information about the freebsd-pf
mailing list