At Wed, 7 Jun 2006 01:35:16 -0700, Devin Heckman wrote: > has ipfw, IPSec, and natd running, and fails to mount nfs from mynfsbox > when all three run at once with the "divert" rule enabled (if I'm right, > it's because natd is rewriting some information in packets which makes > IPSec decoding fail--but hopefully this isn't the case, as I wouldn't > know even how to begin fixing natd). > > myrouter = 192.168.0.10, 10.0.0.1 > mynatbox1 = 10.0.0.2 > mynatbox2 = 10.0.0.3 > mynfsbox = 192.168.0.11 > > IPSec > mynfsbox <--------> myrouter > | not IPSec > |<---------> mynatbox1 > |<---------> mynatbox2 > > /usr/local/etc/ipsec.conf: > > spdadd 192.168.0.10/32 192.168.0.11/32 any -P out ipsec > esp/transport//require ah/transport//require; > spdadd 192.168.0.11/32 192.168.0.10/32 any -P in ipsec esp/transport//require > ah/transport//require;
could your repost your excellent description to [EMAIL PROTECTED] i am not that kind of an ipsec guru, my setup locks a bit different. for sure there are ipsec gurus on the ml. your ipfw rules show that you divert every packet over sis0 to natd. i would try to specify only those addresses which should get rewritten by natd (in your case 192.168..). so packets sent from myrouter to mynfsbox do not pass natd. another thing i would try is to disable ah (just remove ah/transport//require) from your ipsec.conf file. ah is not necessary for an encrypted connection, it provides protection against replay attacks. hth, toni -- If you understand what you're doing, you're | toni at stderror dot at not learning anything. | Toni Schmidbauer -- Anonymous | _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
