From owner-freebsd-questions@FreeBSD.ORG Fri Jun 18 05:10:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1972B16A4CF for ; Fri, 18 Jun 2004 05:10:26 +0000 (GMT) Received: from freeze.org (freeze.org [64.191.147.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8416C43D54 for ; Fri, 18 Jun 2004 05:10:18 +0000 (GMT) (envelope-from jfreeze@freeze.org) Received: from freeze.org (localhost [127.0.0.1]) by freeze.org (8.12.10/8.12.10) with ESMTP id i5I5B3X7000747 for ; Fri, 18 Jun 2004 00:11:03 -0500 (EST) (envelope-from jfreeze@freeze.org) Received: (from jfreeze@localhost) by freeze.org (8.12.10/8.12.10/Submit) id i5I5B35E000746 for FreeBSD-questions@FreeBSD.org; Fri, 18 Jun 2004 00:11:03 -0500 (EST) (envelope-from jfreeze) Date: Fri, 18 Jun 2004 00:11:03 -0500 From: Jim Freeze To: FreeBSD Questions Message-ID: <20040618051102.GA692@freeze.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Name: Jim Freeze Phone: (859) 396-5439 Web-Pages: http://www.freeze.org http://www.freebsdportal.com Subject: natd firewall settings for vpn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 05:10:26 -0000 Hi I am trying to configure my firewall to allow packets through for a VPN connection. I am running FBSD 5.2 as my router and am trying to connect my laptop from behind the router to our work computer. The laptop is running OSX 10.3.4 with a Nortel Networks client made by Apani. The VPN connection works when the laptop is connected directly to my DSL modem or when behind the gateway when I set the firewall type to 'open'. Support at Apani says that I need to open port 500 and allow protocols 50 and 51 (whatever that means). I found the firewall settings below from the archive and have implemented them before the divert statement (after also) but with no luck. # Allow IPSec clients to run behind firewall # --- ISAKMP - allow key exchange over UDP 500 ${fwcmd} add pass udp from ${inet}:${imask} to any 500 in recv ${iif} ${fwcmd} add pass udp from ${oip} to any 500 out xmit ${oif} ${fwcmd} add pass udp from any 500 to ${inet}:${imask} in recv ${oif} ${fwcmd} add pass udp from any 500 to ${inet}:${imask} out xmit ${iif} # --- ESP - allow protocol 50 (ESP) for everyone ;-) ${fwcmd} add pass esp from any to any Does anyone have a firewall with a working nortel client behind it. I would greatly appreciate any help. Thanks -- Jim Freeze There was a young poet named Dan, Whose poetry never would scan. When told this was so, He said, "Yes, I know. It's because I try to put every possible syllable into that last line that I can."