Subject: Re: NAT+IPF+IPsec?
To: Teemu Rinta-aho <>
From: Mipam <>
List: tech-net
Date: 05/29/2001 14:58:28
On Mon, May 28, 2001 at 10:19:47PM +0300, Teemu Rinta-aho wrote:
> Hi all!
> I am running a server with NetBSD 1.5.1_BETA2. The server
> is acting as a router between my home network and the
> Internet. It is running DHCP, NAT and ipfilter. I am
> also planning to build an ESP+AH tunnel to my office
> network.

Ai ... if i aint wrong, esp+ah in tunnel mode is not gonna work.
See the documentation concerning ipsec on the web.
Doing esp in tunnel mode is fine, but not both.
For all i know this didnt change, could be wrong though.

> I need some clarification if this is possible or not.
> I have two kinds of information from different documents.
> One says, that packets are filtered AFTER address translation
> for inbound packets, and BEFORE for outbound packets.


> Then src/CHANGES-1.5.1 says that ipfilter now looks
> packets in native wire format, before IPsec processing
> for inbound and after for outbound packets. Now when
> is NAT done in this new architecture, if it can be
> done at all, or do I have to buy yet another server?

When there is spoken on ipf, you should read
ipf+ipnat. Now ipf only looks in packets in native wire format.
However, you still need to pass esp and ah traffic through,
for else it's not gonna work.
This enables you to use the nat/router machine also as ipsec border
machine when you wish to create a tunnel between that machine and
another router.

The only thing one which i aint sure is, when you do ipsec in transport mode
from a machine (with private ip) behind the nat machine, cause in that
case nat needs to take place, even on the ipsec packets. But this
is not your situation i guess.
Concerning DHCP. Racoon doesnt support it, i believe isakmpd from openbsd does.
Install it from pkgsrc/security/isakmpd.
I heared some ppl in openbsd got it working.
Never tried it myself with dhcp though.