[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IPNAT with IPSEC
From:       Guido van Rooij <guido () gvr ! org>
Date:       2003-06-26 12:54:17
[Download RAW message or body]

On Wed, Jun 25, 2003 at 07:28:40PM +1000, Carl Morley wrote:
> 
> Private IP    |    (A)   |     |          |     |    (B)   |   | Private
> IP
> subnets at----| FIREWALL |-----| INTERNET |-----| FIREWALL |---| subnet
> at
> company (A)   |          |     |          |     |          |   | company
> (B)
> 
> Firewall (B) is expecting all IPSEC traffic to be coming from the public
> IP address on Firewall (A), as tunnelled private IP subnet
> 10.99.99.0/30.
> 
> I am trying to NAT all the internal subnets at (A) to 10.99.99.1.  But
> it does not seem to work whichever way I try.
> 
> Questions:
> 
> 1.  On which interface should I alias the 10.99.99.1 IP on Firewall (A).
> Choices seem to be internal (fxp2), external (fxp1), loopback (lo0) or
> some gif0 combination.  Any other suggestions?

alias? You mean NAT. NAT rewrites source addresses on outgoing interfaces.
This means that you should do IPSEC on a different system after the ipfilter
host.

-Guido
[prev in list] [next in list] [prev in thread] [next in thread]