Re: reverse processing order: NAT, IPsec ?

[David Young <dyoung%pobox.com@localhost>]

On Fri, Jun 12, 2009 at 11:28:37AM +0200, Hubert Feyrer wrote:
>
> I'm in a situation where I want to setup a router to translate (NAT) a  
> local network in a private network (assume both are /24), then send the  
> traffic over an IPsec tunnel to a vpn-gw router (Netscreen VPN, not under 
> my control):
>
>       local/24 =NAT=> private/24 ===tunnel===> vpn-gw
>
> I wonder how to get NAT & IPsec right here. With a "normal" DSL setup, I  
> configure ipf.conf so that the NAT is done on the outgoing interface, 
> i.e. pppo0, but I'm not sure what interface to use here: pppoe0 is 
> intended to send out IPsec traffic via the external network, as a 
> consequence the external interface looks even more wrong; specifying the 
> internal interface looks wrong as I'd expect translation to happen for 
> inbound traffic then only.

<soapbox>
These difficulties sound like a symptom of the design flaw in NetBSD's
IPsec that we should not repeat: hard-coding hooks in the IP input
and output routines.  A design that re-used existing abstractions
to provide building blocks to the operator---for example, an IPsec
pseudo-interface where the IPsec processing occurs---would be more
versatile and transparent, and it would spare us some complexity in the
IP code.

You could attach to an IPsec pseudo-interface both a BPF tap, packet
filters and translators.  It seems that a second attachment point for
packet filters is what you need here.
</soapbox>

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933