if I remember the protocol correctly, IPSec has a checksum that's embedded
into it to show if the packet has been altered. NAT alters the crap out of
the packet to make it traverse the network, hence breaking the IPSec
security and therefore making it a worthless packet.
meaning IPSec into a NAT tunnel will never work but outbound from said
tunnel would.
-Sean
----- Original Message -----
From: "John Cianfarani" <[EMAIL PROTECTED]>
To: <support@pfsense.com>
Sent: Wednesday, February 28, 2007 12:53 AM
Subject: RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent
snapshots
I can always hope :P
Good to know I can NAT out of an IPSec tunnel that atleast is useful for
me.
Good work anyhow.
Thanks
John
-----Original Message-----
From: Bill Marquette [mailto:[EMAIL PROTECTED]
Sent: Monday, February 26, 2007 10:44 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent
snapshots
On 2/20/07, John Cianfarani <[EMAIL PROTECTED]> wrote:
Catching up on the list here and I saw this, that awesome work!
Curious does this mean we are any closer to doing NAT for traffic in/out
of
a IPSec tunnel.
For some form of closer. Sadly, not really. IPSec policy takes
affect before filtering/nating, so while coming out of a tunnel you
could nat (inside interface), traffic initiated _inside_ your network
across the tunnel will hit the tunnel before PF sees it to nat (nat
only occurs egress on an interface). Maybe someday we'll see this,
but it's going to take alot more kernel reorg I think.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
