Date: Sat, 9 Apr 2005 17:59:03 +0100 (BST) From: Vince Hoffman <jhary@unsane.co.uk> To: John Mok <jmok@attglobal.net> Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Firewall + NAT Traversal + IPsec Message-ID: <20050409174841.L35796@unsane.co.uk> In-Reply-To: <4257F2A1.2060603@attglobal.net> References: <200504091337.j39Db6wv028638@unsane.co.uk> <4257F2A1.2060603@attglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 9 Apr 2005, John Mok wrote: > > To my understanding, the mechanism of how NAT works is that, the client > connections from the intranet are mapped to separate ports on the NAT with > one single IP address by means of a mapping table, such that the reply packet > from the outside to the NAT could be reversely mapped to the respective > client connections. If there are more than one VPN clients being NATed to the > VPN gateway, and all client isakmp connections to port 500 are mapped to port > 500 on the external interface of the NAT, then how the NAT could reversely > mapped the isakmp replies to the clients unambigously? > Sorry the one Caveat i forgot is that I can only have one VPN session at a time, If you are likely to have multiple users using the vpn at one time then it wont work. if you have multiple VPN users accessing the same checkpoint then have a look at making a lan to lan tunnel, see: http://www.freebsd.org/doc/en/articles/checkpoint/ its a little old and you need to do some config on the checkpoint, but its a good starting point. Vince > John Mok > > > Vince wrote: > >> I do this with the cisco VPN client (to PIX), I am firewalling with pf. >> Client --- FreeBSD firewall+NAT using pf --- internet - PIX >> >> The only problem I had was that isakmp needs to come from port 500 as well >> as go to port 500 so I needed to add a rule To stop pf changing the source >> port. My nat rules are: nat on $ext_if inet proto { tcp, udp } from >> $int_net port = 500 \ to any -> ($ext_if:0) port 500 >> nat on $ext_if from $int_net to any -> $ext_addr1 >> >> Havent tried checkpoint though. >> >> Vince >> >> >> >>> -----Original Message----- >>> From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] >>> On Behalf Of John Mok >>> Sent: 07 April 2005 17:15 >>> To: freebsd-net@freebsd.org >>> Subject: FreeBSD Firewall + NAT Traversal + IPsec >>> >>> Hi, >>> >>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall + NAT, >>> such that client PC(s) from the NATed internal network could connect to a >>> VPN gateway on the Internet :- >>> >>> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN >>> gateway >>> 192.168.x.x/16 (e.g. >>> Checkpoint FW-1) >>> (VPN client) >>> >>> I hope someone could help to advise what software is required on the >>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)? >>> >>> Thanks a lot. >>> >>> John Mok >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050409174841.L35796>