On 14. Jun 2012, at 16:42 , Eugene Grosbein wrote:
> How do I make FreeBSD 8-based router/NAT/security gateway
> first perform NAT for outgoing packets then apply IPSEC transport mode
> for plain TCP traffic?
> Presently, locally originated packets are encrypted just fine
> but routed and NAT-ed packet go out unencrypted.
> I use ipfw nat.
You NAT on your inside interface; ipfw can do that; pf cannot, so you are
lucky. I have done it about 5-6 years ago.
However these is on caveat: you need a SP for both the before-NAT (which
you normally do not want) and the after-NAT packets and you usually cannot
do that unless you control both sides of the tunnel.
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
> On Thu, Jun 14, 2012 at 9:42 AM, Eugene Grosbein <[hidden email]> wrote:
>> How do I make FreeBSD 8-based router/NAT/security gateway
>> first perform NAT for outgoing packets then apply IPSEC transport mode
>> for plain TCP traffic?
> Forgive me, but I have to ask - why?
> IPsec implies pairwise association, and relies on a tunnel - which
> means that each side knows both tunnel endpoints and both internal
> networks. What do you hope to accomplish with NAT?
I have a TCP-service inside local network that is accessable
for a couple of external hosts via NAT port forwarding.
And I need to protect this TCP stream seamlessly with IPSEC transport mode.