NAT+IPSEC toubles
Erik Norgaard
norgaard at locolomo.org
Mon Sep 11 09:39:30 PDT 2006
Administrators wrote:
> Hi,
>
> I'm building VPN connected to CISCO device.
>
> I NEED to translate my LAN adress to a given adress.
>
> The VPN work well when I try doing
> ifconfig em0 alias _given_ at _
> ping -S _given_ at _ dest_@
>
> but I didn't manage to translate LAN adresse AND having VPN used.
>
> I can pass throug VPN using actual adress but the CISCO endpoint drop it
> or I translate, but packets didn't go in the VPN.
>
> Any idea ?
IPSec does not work across NAT. The problem is authenticated headers
which simply won't work because it assumes the ip header to be untouched.
If you have a natting box this will rewrite the source/destination ip
which means that the recipient cannot verify the authencity of the packet.
You should be able to get things working without AH.
Cheers, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
More information about the freebsd-questions
mailing list