I should probably qualify that 'could' as a 'should' :) Based on what I know of the enc(4) code you _should_ be able to NAT coming out of the tunnel, it's performing the NAT after IPSec hands it off to the OS - I think the return path will get NAT'd before IPSec handling, but I'm not 100% positive of this. RDR and NAT egress to your network into the tunnel cannot work however :( We'd love to have reports from people that try wierd stuff with this and let us know what works. I suspect however there's not going to be alot we can do to make a 192.168.1.0/24 exist on both sides of a tunnel - or at least not until someone changes how IPSec works in the FreeBSD kernel.
--Bill On 2/27/07, John Cianfarani <[EMAIL PROTECTED]> wrote:
I can always hope :P Good to know I can NAT out of an IPSec tunnel that atleast is useful for me. Good work anyhow. Thanks John -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots On 2/20/07, John Cianfarani <[EMAIL PROTECTED]> wrote: > Catching up on the list here and I saw this, that awesome work! > Curious does this mean we are any closer to doing NAT for traffic in/out of > a IPSec tunnel. For some form of closer. Sadly, not really. IPSec policy takes affect before filtering/nating, so while coming out of a tunnel you could nat (inside interface), traffic initiated _inside_ your network across the tunnel will hit the tunnel before PF sees it to nat (nat only occurs egress on an interface). Maybe someday we'll see this, but it's going to take alot more kernel reorg I think. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
