Date: Tue, 24 Apr 2007 16:49:36 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-pf@freebsd.org Subject: Re: NAT-T support in FreeBSD + PF Message-ID: <20070424144936.GA11566@zen.inc> In-Reply-To: <462DFB71.5050003@attglobal.net> References: <462DFB71.5050003@attglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 24, 2007 at 08:43:29PM +0800, John Mok wrote: > Hi, Hi. > I would like to build a NAT firewall box using FreeBSD + PF at work. > However, I hope someone could advise if PF could support NAT-T, such > that the IPSec client connections (e.g. a visitor notebook with IPSec > client) inside the company Intranet could successfully connect passing > through the NAT box to the Internet IPSec gateway (e.g. the home network > of a visitor) . Your PF will "just" see two UDP pseudo-sessions (one on dport 500 for the beggining of the negociation, one on dport 4500 for all the remaining negociations and for all traffic), so there is no need for specific NAT-T support, you just need to allow outgoing UDP traffic to port 500/4500, and incoming replies. That was the main goal of NAT-T: routers/NAT devices on the way just have to work as usual.... Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070424144936.GA11566>