tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

reverse processing order: NAT, IPsec ?

I'm in a situation where I want to setup a router to translate (NAT) a local network in a private network (assume both are /24), then send the traffic over an IPsec tunnel to a vpn-gw router (Netscreen VPN, not under my control):

        local/24 =NAT=> private/24 ===tunnel===> vpn-gw

I wonder how to get NAT & IPsec right here. With a "normal" DSL setup, I configure ipf.conf so that the NAT is done on the outgoing interface, i.e. pppo0, but I'm not sure what interface to use here: pppoe0 is intended to send out IPsec traffic via the external network, as a consequence the external interface looks even more wrong; specifying the internal interface looks wrong as I'd expect translation to happen for inbound traffic then only.

What the general order of processing in this case? the NetBSD IPsec FAQ says that IPsec is applied first[1], but what I want is to do NAT first, then put the result through the IPsec mechanism.

Does anyone have an idea how to achieve this?

Note that the NAT is before the IPsec connection, so I'm pretty sure NAT-T is not relevant here.

Any clues? Thanks in advance!

 - Hubert


Home | Main Index | Thread Index | Old Index