local/24 =NAT=> private/24 ===tunnel===> vpn-gw
I wonder how to get NAT & IPsec right here. With a "normal" DSL setup,
I configure ipf.conf so that the NAT is done on the outgoing
interface, i.e. pppo0, but I'm not sure what interface to use here:
pppoe0 is intended to send out IPsec traffic via the external network,
as a consequence the external interface looks even more wrong;
specifying the internal interface looks wrong as I'd expect
translation to happen for inbound traffic then only.
What the general order of processing in this case? the NetBSD IPsec
FAQ says that IPsec is applied first[1], but what I want is to do NAT
first, then put the result through the IPsec mechanism.
I think IPsec happens first, and this is because of the way the code is
in the kernel.
Does anyone have an idea how to achieve this?
Start by reading netinet/ip_output.c. IPSEC is before PFIL_HOOKS. I
think right now munging in there is the only way.
So try moving pfil_hooks up before the ifdef IPSEC blocks. I don't know
if there is a correpsonding input change necessary, or if input
processing will cope. I also don't know what else tricky will pop up,
but this feels like perturbing a hairy situation and asking for at least
a bit of trouble.
You could also have a second machine and NAT but not IPsec on that, and
separate NAT and IPsec functionality. Kludgy perhaps (xen?), but it
might be fewer hours to what you want.
Attachment:
pgppG6F38YHpa.pgp
Description: PGP signature