ip_output: NAT then IPSEC
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Thu Jun 14 20:30:47 UTC 2012
On 14. Jun 2012, at 16:42 , Eugene Grosbein wrote:
> Hi!
>
> How do I make FreeBSD 8-based router/NAT/security gateway
> first perform NAT for outgoing packets then apply IPSEC transport mode
> for plain TCP traffic?
>
> Presently, locally originated packets are encrypted just fine
> but routed and NAT-ed packet go out unencrypted.
>
> I use ipfw nat.
You NAT on your inside interface; ipfw can do that; pf cannot, so you are
lucky. I have done it about 5-6 years ago.
However these is on caveat: you need a SP for both the before-NAT (which
you normally do not want) and the after-NAT packets and you usually cannot
do that unless you control both sides of the tunnel.
/bz
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
More information about the freebsd-net
mailing list