# vpn/ipsec for jails (how to redirect/forward TCP)



## nbari (Jul 7, 2009)

Hi, I have a server with multiple public ip's (each per jail), on on jail I need a VPN-ipsec for doing so I created the ipsec tunnel on the main host using has PEAR the jail IP and later using pf just redirect-nat trafic to the jail doing something like this:

```
nat pass on gif0 from 77.128.37.144 to 10.0.0.1 -> gif0
rdr pass on gif0 inet proto tcp from any to any port 8090 -> 77.128.37.144 port 8090
```


```
<host B 10.0.0.1><----internet---><host FBSD host  77.128.37.140><==jails 77.128.37.140-144
```

this is the output of ifconfig:


```
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 77.128.37.144 --> 67.228.78.163
        inet 192.168.1.1 --> 10.0.0.1 netmask 0xffffffff
```

if ipsec is not running the redirection and nat work fine, from the jail 77.128.37.144 I can ping the private host B 10.0.0.1 and connect to port 8090 and also machines from host B can telnet/ping port 8090 on 77.128.37.144.

but if I enable ipsec and when the trafic becomes encrypted I can not route/nat  the trafic. 

what I need is to be available  to connect from jail ip 77.128.37.144 to 10.0.0.1 on port 8090.

right now I am solving this with jumpgate (a TCP connection forwarder) running it from the master host but is there a way of doing the same with pf ?


my kernel has the following options:

```
options   IPSEC
options   IPSEC_FILTERTUNNEL
options   IPSEC_DEBUG  
device    crypto
device    enc
```
Any ideas ?

regards.


----------



## SirDice (Jul 10, 2009)

You can't easily NAT IPSec. Besides the IKE connection, you will also need to forward any ESP data (protocol 50).

http://en.wikipedia.org/wiki/NAT_traversal#NAT_traversal_and_IPsec


----------



## nbari (Sep 8, 2011)

I have added the 


```
options   IPSEC_NAT_T
```

on the kernel, any ideas how to make it work?


----------



## DutchDaemon (Sep 8, 2011)

Recompile the kernel. You added it to the configuration file for the kernel. It still needs to be built. See The handbook.


----------



## nbari (Sep 9, 2011)

I omit to comment that the kernel was already compiled and also the server as been rebooted, since for having IPSEC you need to rebuild the kernel Is a 'must' to rebuild the kernel and reboot when adding extra options.

but anyway besides that I can get it to work.

any more ideas ?


----------

