the lo1 hack is no longer needed here; read OUTGOING NETWORK
ADDRESS TRANSLATION in ipsec.conf(5).
On 2009-10-29, Christoph Leser le...@sup-logistik.de wrote:
I'm sure I have seen the answer to my question here on the list some
time ago, but I'm too stupid to find it again:
In what order are the following operations performed on an IP packet
a. IPSEC ( decides whether a packet matches an IPSEC flow )
b. normal kernel routing
c. NAT
d. packet filtering ( block/pass commands in pf.conf )
The reason I ask is that I failed to setup NAT for a IPSEC tunnel as
described in
http://marc.info/?l=openbsd-pfm=115875312200995w=2
As far as I understand, this can only work if NAT ( on lo1 ) is
performed before IPSEC checks for matching flows.
Has this order been changed in OBSD4 ( the above post from 2006 refers
to OBSD 3.8 ). There is a newer posting on the same issue at
http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html,
suggesting essentially the same procedure.
Regards
Christoph