I think what you're thinking about is the different between AH and ESP. AH provides origin authentication so it adds a hash checksum for the IP header if that gets changed by NAT the packet will be dropped by the other IPSEC endpoint as it fails the checksum match. ESP on the other hand does encryption on the data and does not touch the IP Header so it's free to be modified by NAT.
Thanks John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 28, 2007 7:27 AM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots if I remember the protocol correctly, IPSec has a checksum that's embedded into it to show if the packet has been altered. NAT alters the crap out of the packet to make it traverse the network, hence breaking the IPSec security and therefore making it a worthless packet. meaning IPSec into a NAT tunnel will never work but outbound from said tunnel would. -Sean ----- Original Message ----- From: "John Cianfarani" <[EMAIL PROTECTED]> To: <support@pfsense.com> Sent: Wednesday, February 28, 2007 12:53 AM Subject: RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots >I can always hope :P > > Good to know I can NAT out of an IPSec tunnel that atleast is useful for > me. > Good work anyhow. > > Thanks > John > > -----Original Message----- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Monday, February 26, 2007 10:44 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent > snapshots > > On 2/20/07, John Cianfarani <[EMAIL PROTECTED]> wrote: >> Catching up on the list here and I saw this, that awesome work! >> Curious does this mean we are any closer to doing NAT for traffic in/out > of >> a IPSec tunnel. > > For some form of closer. Sadly, not really. IPSec policy takes > affect before filtering/nating, so while coming out of a tunnel you > could nat (inside interface), traffic initiated _inside_ your network > across the tunnel will hit the tunnel before PF sees it to nat (nat > only occurs egress on an interface). Maybe someday we'll see this, > but it's going to take alot more kernel reorg I think. > > --Bill > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
