Quantcast
FreeBSD freebsd-net

ip_output: NAT then IPSEC

classic Classic list List threaded Threaded
4 messages Options
Eugene Grosbein-7
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

ip_output: NAT then IPSEC

Eugene Grosbein-7
Hi!

How do I make FreeBSD 8-based router/NAT/security gateway
first perform NAT for outgoing packets then apply IPSEC transport mode
for plain TCP traffic?

Presently, locally originated packets are encrypted just fine
but routed and NAT-ed packet go out unencrypted.

I use ipfw nat.

Eugene Grosbein
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Michael Sierchio
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ip_output: NAT then IPSEC

Michael Sierchio
On Thu, Jun 14, 2012 at 9:42 AM, Eugene Grosbein <[hidden email]> wrote:

> How do I make FreeBSD 8-based router/NAT/security gateway
> first perform NAT for outgoing packets then apply IPSEC transport mode
> for plain TCP traffic?

Forgive me, but I have to ask - why?

IPsec implies pairwise association, and relies on a tunnel - which
means that each side knows both tunnel endpoints and both internal
networks.  What do you hope to accomplish with NAT?

- M
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Bjoern A. Zeeb
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ip_output: NAT then IPSEC

Bjoern A. Zeeb
In reply to this post by Eugene Grosbein-7

On 14. Jun 2012, at 16:42 , Eugene Grosbein wrote:

> Hi!
>
> How do I make FreeBSD 8-based router/NAT/security gateway
> first perform NAT for outgoing packets then apply IPSEC transport mode
> for plain TCP traffic?
>
> Presently, locally originated packets are encrypted just fine
> but routed and NAT-ed packet go out unencrypted.
>
> I use ipfw nat.

You NAT on your inside interface; ipfw can do that; pf cannot, so you are
lucky.  I have done it about 5-6 years ago.

However these is on caveat:  you need a SP for both the before-NAT (which
you normally do not want) and the after-NAT packets and you usually cannot
do that unless you control both sides of the tunnel.

/bz

--
Bjoern A. Zeeb                                 You have to have visions!
   It does not matter how good you are. It matters what good you do!

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Eugene Grosbein-7
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: ip_output: NAT then IPSEC

Eugene Grosbein-7
In reply to this post by Michael Sierchio
15.06.2012 03:21, Michael Sierchio пишет:

> On Thu, Jun 14, 2012 at 9:42 AM, Eugene Grosbein <[hidden email]> wrote:
>
>> How do I make FreeBSD 8-based router/NAT/security gateway
>> first perform NAT for outgoing packets then apply IPSEC transport mode
>> for plain TCP traffic?
>
> Forgive me, but I have to ask - why?
>
> IPsec implies pairwise association, and relies on a tunnel - which
> means that each side knows both tunnel endpoints and both internal
> networks.  What do you hope to accomplish with NAT?

I have a TCP-service inside local network that is accessable
for a couple of external hosts via NAT port forwarding.
And I need to protect this TCP stream seamlessly with IPSEC transport mode.

Eugene Grosbein


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Loading...
Powered by Nabble Edit this page