NAT-before-ipsec using if_ipsec
Jimmy Olgeni
olgeni at olgeni.com
Thu Aug 24 09:38:46 UTC 2017
Hi,
I came up with a working setup of if_ipsec, and was wondering if now
it would be possible to perform NAT before ipsec using the resulting
'ipsec0' interface.
The native PF solution seemed to be this:
nat on ipsec0 from 172.30.1.1/28 to any -> 172.30.1.1
But while it works on external interfaces, it does nothing for ipsec.
If ipsec is already up, pinging to the other side does not work; if
the ping causes racoon to negotiate, then it will fail as if it's
trying to negotiate an invalid encryption domain (?)
Are additional SPD entries needed specifically for NAT?
--
jimmy
More information about the freebsd-net
mailing list