Filtering on IPSEC
Alex Dupre
ale at FreeBSD.org
Thu Jan 12 07:29:18 UTC 2012
Bjoern A. Zeeb ha scritto:
> Need more input. A) why are using gif? B) are you using transport mode?
I'm using gif, because the official FreeBSD documentation says so
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html).
My configuration is very similar to what described in that page. If
that's not the correct way, I'll fix the documentation after
understanding the right procedure.
I'm using tunnel mode for network to network vpn.
> NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter.
Can you elaborate a little more about the reason ipfw can and pf cannot?
Is it because with ipfw/nat the packet is reinjected with the translated
src IP and so matched by SPD? Currently, with my setup and pf, I faced
exactly these two problems (SPD match before translation and i/o on
different interfaces).
I think it's not so uncommon that the two networks may collide, so
assigning a "good" ip to one endpoint gateway and making NAT on it
should be well documentated in our handbook. If you give me a hint on
how this could be achieved with ipfw I'll update the docs accordingly.
Thanks for your support.
--
Alex Dupre
More information about the freebsd-net
mailing list