Date: Wed, 30 Apr 2003 12:35:01 -0700 From: Greg White <gregw-freebsd-security@greg.cex.ca> To: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <20030430123501.A20461@greg.cex.ca> In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org>;02:50:44PM -0400 References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > Guy Middleton <guy@obstruction.com> writes: > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. That totally depends on what the endpoint is, and what the IPSEC client supports. Nortel and Cisco (and most other commercial IPSEC device vendors AFAIK) support this draft: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt NAT traversal through IKE is now a reality. The vendor's documentation will detail what other ports must be passed, on either side, to fully support this. ISTR that it requires an additional UDP port. I have succesfully (and repeatedly) used Nortel VPN client on a NATed host through a FreeBSD gateway. -- Greg White
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030430123501.A20461>