[afnog] IPfw + natd
Phil Regnauld
regnauld at x0.dk
Fri Dec 2 18:31:35 EAT 2005
On Fri, Dec 02, 2005 at 03:18:46PM +0000, Brian Candler wrote:
>
> Another good solution might be to go with pf :-)
PF has one limitation that bothers me: I can't do reverse NAT
on an ingress interface BEFORE it gets processed by the rest
of the stack.
For exemple, with IPFW + natd, I can do reverse NAT on the inside
interface, on packets on the way out, THEN encapsulate them in IPsec,
thus presenting only 1 IP to SA.
I've done this for a couple of customers who needed site to site
VPN with conflicting IP ranges (RFC1918 on both sides) -- the solution
was to allocate an extra IP address on the outside, use ports/net/choparp
to grab packets for that IP, route that IP to the inside interface,
then do reverse NATd to that IP on the inside interface, and finally
tell IPsec to encapsulate _that_ IP to the remote site.
More information about the afnog
mailing list