From owner-freebsd-questions  Fri Oct 11 13:18:12 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 923DF37B401
	for <freebsd-questions@freebsd.org>; Fri, 11 Oct 2002 13:18:10 -0700 (PDT)
Received: from notus.primus.ca (mail.tor.primus.ca [216.254.136.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C4FF43E9C
	for <freebsd-questions@freebsd.org>; Fri, 11 Oct 2002 13:18:10 -0700 (PDT)
	(envelope-from leth@primus.ca)
Received: from dialin-153-145.tor.primus.ca ([216.254.153.145])
	by notus.primus.ca with esmtp (Exim 3.33 #16)
	id 1806Ea-0004uQ-0A; Fri, 11 Oct 2002 16:18:09 -0400
Date: Fri, 11 Oct 2002 16:18:39 -0400 (EDT)
From: Jason Hunt <leth@primus.ca>
X-X-Sender: leth@lethargic.dyndns.org
To: freebsd-questions@FreeBSD.ORG
Cc: MrWebby <mrwebby@bigfoot.com>
Subject: Re: IPsec Tunneling (VPN) from WIN2K (client) to FreeBSD (Server)
In-Reply-To: <3DA72972.7030706@bigfoot.com>
Message-ID: <20021011160625.L59753-100000@lethargic.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 11 Oct 2002, MrWebby wrote:

> I need to enable tunnels from my laptop running Windows 2000 Pro to
> my FreeBSD 4.6. I have a Cable Modem link to the Internet and for my
> firewall and NAT router I use a D-Link 707 Residencial Router capable
> of allowing VPN using IPsec 'only'.
>                                                             ----------
>   VPN Sever               Gateway                          |          |
> -----------            -----------                        |          |
> 192.168.0.3  --------  192.168.0.1 -----------------------  Internet |
> -----------            -----------                        |          |
> FreeBSD 4.6          xxx.xxx.xxx.xxx                      |          |
>                                                             ----------
> -IPsec Enabled         IPsec:                                   |
> -Running Racoon        -ESP mode                                |
> -Setkey                -In Tunnel Mode (DUH!)                   |
> -OpenSSL Certificates  -DES encryption                          |
> -psk.txt               -ESP mode with no encapsulation          |
> -VPN Sever: PoPToPt    -no Integrity                            |
>                         -Pre-Shared keys                         |
>                                                                  |
>                                                                  |
>                                                                  |
>               Client                                             |
>            -------------                                         |
>            192.168.0.226  ---------------------------------------|
>            -------------
>           Windows 2000 Pro
>
>           -IPsec enabled
>           -Certificate Install
>

The D-Link Router ("gateway" in the diagram) is performing NAT, correct?
Is your laptop ("Client") behind NAT as well?  Your diagram does not make
this entirely clear.

However, assuming the above two questions are true, then that is your
problem right there.  IPSec will not work behind NAT, since the packets
are altered by the NAT gateway.  Make sense?

In such a scenario, the gateway itself should become your IPSec server.
The same goes for your client, assuming it is behind a NAT gateway as
well.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message