Re: Problems with NAT on gif interface for VPN
From: Aaron Nichols (adnichols_at_gmail.com)
Date: 10/29/04
- Previous message: gnn_at_freebsd.org: "Re: Implementing IP_SENDIF (like SO_BINDTODEVICE)"
- In reply to: Nickolay A. Kritsky: "Re: Problems with NAT on gif interface for VPN"
- Next in thread: Jeremie Le Hen: "Re: Problems with NAT on gif interface for VPN"
- Reply: Jeremie Le Hen: "Re: Problems with NAT on gif interface for VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 28 Oct 2004 20:17:30 -0700 To: "Nickolay A. Kritsky" <nkritsky@star-sw.com>
On Thu, 28 Oct 2004 21:47:24 +0400, Nickolay A. Kritsky
<nkritsky@star-sw.com> wrote:
> Hello Aaron,
>
> Please make sure that you have option IPSEC_FILTERGIF in your kernel.
> See LINT and -net archives for more details.
Thanks for the hint - and that makes more sense, however I think I'm
still in the same position.
Rather than a "problem" with ipfw however, I think I've got a
fundamental problem with how to do this. If I understand correctly, in
order for natd to "reverse" a divert rule (translate the destination
IP back to the original IP on return traffic) the packet has to come
through the same interface it was originally seen by natd on - is this
correct?
For whatever reason I still seem to be unable to use gif0 for this
purpose, which seems to be the closest thing to an "ipsec interface"
available (I'm beginning to think it's nowhere near as useful as enc0
on OpenBSD). Thus, I'm stuck translating packets when they either
enter the LAN interface or leave the WAN, the former seems the best
option.
The problem I have however, is that if I apply the divert rule on vr0
(LAN) then the return traffic is never transmitted out vr0 and thus
never gets translated back (I assume it's dropped somewhere earlier in
the process). I tried using a 'fwd' rule to push return traffic out
vr0 on the return trip but that seems to have been fruitless.
On Cisco routers I know you can do some interesting nat tricks by
using policy routing and forcing VPN traffic to an intermediate
loopback interface so that all VPN traffic goes in/out the same
interface before being delivered to its ultimate destination. Can I do
something similar on FreeBSD?
For example:
Lan to Remote site:
PC -> vr0 -> some_int0 -> ipsec -> xl0 ...
Remote site reponse traffic:
xl0 -> ipsec -> some_int0 -> vr0 -> PC
Thus, all traffic would go in/out of 'some_int0' and I could apply
divert rules there correctly.
I apologize if this doesn't make any sense to those who understand the
system - evidently I don't have a strong enough understand of the
processing order to piece this together myself. At this point I think
the relevant question is - does anyone know if this is possible and
have any pointers to a working configuration?
Thanks again for your time and patience.
Aaron
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: gnn_at_freebsd.org: "Re: Implementing IP_SENDIF (like SO_BINDTODEVICE)"
- In reply to: Nickolay A. Kritsky: "Re: Problems with NAT on gif interface for VPN"
- Next in thread: Jeremie Le Hen: "Re: Problems with NAT on gif interface for VPN"
- Reply: Jeremie Le Hen: "Re: Problems with NAT on gif interface for VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
