[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: reverse processing order: NAT, IPsec ?
On Fri, Jun 12, 2009 at 11:28:37AM +0200, Hubert Feyrer wrote:
> I'm in a situation where I want to setup a router to translate (NAT) a
> local network in a private network (assume both are /24), then send the
> traffic over an IPsec tunnel to a vpn-gw router (Netscreen VPN, not under
> my control):
> local/24 =NAT=> private/24 ===tunnel===> vpn-gw
> I wonder how to get NAT & IPsec right here. With a "normal" DSL setup, I
> configure ipf.conf so that the NAT is done on the outgoing interface,
> i.e. pppo0, but I'm not sure what interface to use here: pppoe0 is
> intended to send out IPsec traffic via the external network, as a
> consequence the external interface looks even more wrong; specifying the
> internal interface looks wrong as I'd expect translation to happen for
> inbound traffic then only.
> What the general order of processing in this case? the NetBSD IPsec FAQ
> says that IPsec is applied first, but what I want is to do NAT first,
> then put the result through the IPsec mechanism.
> Does anyone have an idea how to achieve this?
> Note that the NAT is before the IPsec connection, so I'm pretty sure
> NAT-T is not relevant here.
Could you use IPsec in transport mode and use a gif tunnel over that?
IIRC I read somewhere that this is functionally the same as IPsec tunnel
mode, and it would allow you to use NAT on the gif interface.
Main Index |
Thread Index |