-----BEGIN PGP SIGNED MESSAGE-----
When FreeSWAN is configured to do Opportunistic Encryption, it arranges for
all outgoing packets to travel through ipsec0. If the destination is not OE
capable, the packet goes out in the clear on ppp0/eth0.
When OE is configured on a box that also does NAT (IP masquerading) we run
into a problem. One can talk to any box that has OE enabled.
This is because the NAT code seems to believe it proper for packets to
arrive on the same interface that they went out. This just doesn't happen
when there is IPsec OE (as it exists now) and often won't happen at all when
there are multiple internet connections.
Jamal Hadi diagnosed this as the problem in the bar at IETF, but wasn't
sure what piece of code we could hack. He seemed to think that this code has
been changed in 2.5. If someone could point at the change, I would appreciate
it, as we have many people who want to do precisely this: NAT followed by OE.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Comment: Finger me for keys
-----END PGP SIGNATURE-----