weird results while ipsec + ipfv_nat (nat before vpn)
Zeus V Panchenko
zeus at ibs.dn.ua
Thu Aug 4 12:51:00 UTC 2011
Ian Smith (smithi at nimnet.asn.au) [11.08.04 08:44] wrote:
> On Wed, 3 Aug 2011, Zeus V Panchenko wrote:
> [..]
>
> Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe
> that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both.
>
> > so, ipsec and ipfw_nat out works, but where are reply packets
> > disappearing to after coming to gif0 interface? why no backward
> > divert occures?
>
> Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and
> maybe 'ipfw show' to check that all your other rules match ipfw.conf
>
you are right, ipfw thinks about nat this way:
# ipfw nat show config
ipfw nat 100 config if bge1 log reverse
i have tried both combinations and still no result:
1. with `if' i see `incorrect' (lan ip) traffic on gif0
2. with `ip' i see only ipsec peer replies and no back divert
3. bUt with both options i see the same as in p.2
any further idea?
--
Zeus V. Panchenko
JID:zeus at gnu.org.ua GMT+2 (EET)
More information about the freebsd-ipfw
mailing list