This is good to hear. I had to hack pb8 to add IPSec and fire up NATD for a
VPN for a customer. Their Seattle office is still waiting on DSL so I can
mail out flash cards to them if this all works right on pb9.
Two of us here messed around with IPNAT and IPSec and just gave up a couple
of months ago completely.
On 5/17/03 1:41 PM, "Manuel Kasper" <mk at neon1 dot net> wrote:
> Hi Michael,
>> How did you handle integrating IPSec with NAT?
>> We've had to use NATD on the 'inside' interface for this to work, are you
>> using NATD or IPNAT?
> m0n0wall uses ipnat; there don't seem to be any issues with NAT and IPsec,
> but this is probably because the NAT rule generator specifies the source
> address (LAN and DMZ subnet) instead of just 0/0 in the ipnat map rules...
>> I looked at modifying the BSD kernel to switch the ordering on when IPNAT
>> and IPSEC process packets to get it working correctly.
> Well, I can tell you that I'm absolutely sick of fixed processing orders -
> when you have ipfw, ipfilter, ipnat, IPsec and dummynet and use them all
> at once, you have to keep inventing workarounds... Add to the fact that
> the processing order is not well documented. I had to add pass rules for
> ESP packets on WAN to ipfilter when IPsec is enabled - OK, that's what one
> would expect. What nobody tells you is that the packets reappear on the
> WAN interface after having been decrypted, but this time as ipencap
> packets (IPv4-in-IPv4), so you have to pass those, too. This only seems to
> happen with FAST_IPSEC and not with KAME IPSEC, though. Then they appear
> on WAN once more with the real/internal source/destination addresses. And
> finally, you have to pass (or keep state) them out of the LAN interface.
> So IPsec packets go through ipfilter 4 times, and that doesn't help the
> (IMHO bad) performance much...
> - Manuel
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
michael at staff dot openaccess dot org