Date: Wed, 30 Apr 2003 15:52:41 -0400 (EDT) From: Matt Piechota <piechota@argolis.org> To: Lowell Gilbert <freebsd-security-local@be-well.no-ip.com> Cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <20030430154157.U24608@cithaeron.argolis.org> In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 30 Apr 2003, Lowell Gilbert wrote: > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. Actually, that's not strictly true. I've done such a thing myself, but with a trick: I blindly forwarded any packet from the tunnel-server to the client. The specifics: $WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do tunnelling, and assign the client a dynamic address. To do the forwarding, I set up a line like: redirect_proto tcp clientip natgwextip vpnserverip redirect_proto udp clientip natgwextip vpnserverip in /etc/natd.conf (and set rc.conf to have natd look at that file). It worked for me, although I suspect that if someone forged vpnserverip, they could sneak packets to my client machine. The client uses nortel's client, but watching what I could using a sniffer, it looked like a fairly normal IPSEC connect. Oddly enough, I was just going to ask how I'd do that forward using ipfw, ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd with ppp if I don't 'ppp -nat ...'? -- Matt Piechota
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030430154157.U24608>