Date: Fri, 04 May 2001 19:13:06 -0600 From: Jamie Hermans <dev-null@hermans.ca> To: steve@Watt.COM (Steve Watt), questions@freebsd.org Subject: Re: VPN solutions ... using IPSEC *AND* NAT Message-ID: <9rk6ftghhg3jcklq1dt8ht0p5nlh7qshgv@4ax.com> In-Reply-To: <200105042244.f44MiuY92230@wattres.Watt.COM> References: <000001c0d46e$2feb6160$6419a8c0@jamie> <200105042244.f44MiuY92230@wattres.Watt.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 4 May 2001 15:44:56 -0700, steve@Watt.COM (Steve Watt) wrote: It's an all-in-one server. FreeBSD 4.3 - everything standard. If I 'setkey -F && setkey -FP', then I can see the other side of the VPN, but I believe this removes all the security that I want IPSEC for? Oh ... and I'm using IPFW, not IPFILTER. ... Jamie >In article <000001c0d46e$2feb6160$6419a8c0@jamie> freebsd@hermans.ca = wrote: >>Has anyone been successful getting IPSEC and NAT to play nicely = together? >> >>I'm currently using a PPP over SSH tunnel, but ideally would like to = get >>something working that was not client -> server based as is with this = PPP >>setup. >> >>Any pointers would be GREATLY appreciated. > >Is the machine that's doing NAT the same as the machine doing IPsec? > >If not, you'll have to arrange for IP protocol 50 to be passed (and >NATed) through your translator. If your translator is some flavor >of router (don't remember which at the instant), opening UDP port >500 for ISAKMP will automagically redirect proto 50 and 51 (esp and >ah), but that isn't universal behavior. > >Now, if someone wants to update libalias so it handles IPPROTO_ESP... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9rk6ftghhg3jcklq1dt8ht0p5nlh7qshgv>