On Wed, 3 Aug 2011, Zeus V Panchenko wrote:
[..]
I can't comment on your ipsec setup at all, but:
> > cat /etc/ipfw.conf
> ...
>
> add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
> add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
> add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
> add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x
>
> add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
> nat 100 config log if bge1 ip b.b.b.1 reverse
Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe
that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both.
> so, ipsec and ipfw_nat out works, but where are reply packets
> disappearing to after coming to gif0 interface? why no backward
> divert occures?
Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and
maybe 'ipfw show' to check that all your other rules match ipfw.conf
cheers, Ian
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
