tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
reverse processing order: NAT, IPsec ?
I'm in a situation where I want to setup a router to translate (NAT) a
local network in a private network (assume both are /24), then send the
traffic over an IPsec tunnel to a vpn-gw router (Netscreen VPN, not under
my control):
local/24 =NAT=> private/24 ===tunnel===> vpn-gw
I wonder how to get NAT & IPsec right here. With a "normal" DSL setup, I
configure ipf.conf so that the NAT is done on the outgoing interface, i.e.
pppo0, but I'm not sure what interface to use here: pppoe0 is intended to
send out IPsec traffic via the external network, as a consequence the
external interface looks even more wrong; specifying the internal
interface looks wrong as I'd expect translation to happen for inbound
traffic then only.
What the general order of processing in this case? the NetBSD IPsec FAQ
says that IPsec is applied first[1], but what I want is to do NAT first,
then put the result through the IPsec mechanism.
Does anyone have an idea how to achieve this?
Note that the NAT is before the IPsec connection, so I'm pretty sure NAT-T
is not relevant here.
Any clues? Thanks in advance!
- Hubert
[1] http://www.netbsd.org/docs/network/ipsec/#procorder
Home |
Main Index |
Thread Index |
Old Index