Hi!
There is a strange NAT behaviour in our cfg.
OS: amd64 7.0-RC1
kernel recomplied wint IPSEC and IPSEC_FILTERTUNNEL
We are using isakmp-tools, and we have a dozen ipsec tunnels
working fine.
The internal users can do practically anything through NAT.
Except one.
There is one user, who has an ipsec client sw on Windoze.
The user wants a connection to a remote
customer, through our fw, nat.
If I tcpdump on the external interface i see that all of
user traffic is nat-ed, but udp 500. It was sent
out with private address, without nat.
In this case no trace of traffic in pflog (every rule has
'log' directive in pf.conf).
If using stricter rules, not to allow priv addr to go out,
the traffic is appeared in pflog, but
instead of nat and allow out (like everything else) I see
that pf blocks the outgoing isakmp traffic
on external if with the private address of the PC.
The pf.conf has the recommended order of rules: first nat
after filter.
I tried nat proxy as well (and this is the current cfg), but
it does not helped (I didn't hoped really).
So how can it be, that everything is nat-ed except
udp-isakmp?
Everything is working very well, except this one.
Thanks in advance
Gabor
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|