Date: 01 May 2003 07:29:04 -0400 From: "V.M.Smith" <vmsmith@grokking.org> To: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <1051788543.641.31.camel@thoreau.sohotech.ca> In-Reply-To: <20030430190040.A78C937B407@hub.freebsd.org> References: <20030430190040.A78C937B407@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Looks like you just want client-side "pass-through" functionality. If this is correct, try using ipf/ipnat and write a map proxy rule in /etc/ipnat.rules. I use this, assuming ipf/ipnat on a dual-homed gateway: [NOTE: this should appear BEFORE other map entries.] map <wan_interface> <internal_lan_address_range> -> 0/32 proxy port 500 ipsec/udp Then make sure your /etc/ipf.rules have appropriate entries to support it. I use these: pass in quick on <lan_interface> proto 50 from any to any keep state pass in quick on <lan_interface> proto udp from any port = 500 to any keep state Try using tcpdump on the gateway to determine any additional needs specific to your implementation and topology. Set aside some time and be prepared to tinker... Hope that helps, VS On Wed, 2003-04-30 at 15:00, freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. how to configure a FreeBSD firewall to pass IPSec? (Guy Middleton) > 2. Re: how to configure a FreeBSD firewall to pass IPSec? > (David G. Andersen) > 3. Re: how to configure a FreeBSD firewall to pass IPSec? > (Lowell Gilbert) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 30 Apr 2003 09:45:37 -0400 > From: Guy Middleton <guy@obstruction.com> > Subject: how to configure a FreeBSD firewall to pass IPSec? > To: freebsd-security@freebsd.org > Message-ID: <20030430094537.A20710@chaos.obstruction.com> > Content-Type: text/plain; charset=us-ascii > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ > > Message: 2 > Date: Wed, 30 Apr 2003 07:55:27 -0600 > From: "David G. Andersen" <danderse@cs.utah.edu> > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > To: Guy Middleton <guy@obstruction.com> > Cc: freebsd-security@freebsd.org > Message-ID: <20030430075527.A54362@cs.utah.edu> > Content-Type: text/plain; charset=us-ascii > > Guy Middleton just mooed: > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's probably using either ipip, esp, or ipencap. tcpdump the > traffic, and then permit whichever protocol it's using. > > permit esp from foo to bar > > -Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1051788543.641.31.camel>