Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 May 2001 19:13:06 -0600
From:      Jamie Hermans <dev-null@hermans.ca>
To:        steve@Watt.COM (Steve Watt), questions@freebsd.org
Subject:   Re: VPN solutions ... using IPSEC *AND* NAT
Message-ID:  <9rk6ftghhg3jcklq1dt8ht0p5nlh7qshgv@4ax.com>
In-Reply-To: <200105042244.f44MiuY92230@wattres.Watt.COM>
References:  <000001c0d46e$2feb6160$6419a8c0@jamie> <200105042244.f44MiuY92230@wattres.Watt.COM>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 4 May 2001 15:44:56 -0700, steve@Watt.COM (Steve Watt) wrote:

It's an all-in-one server.  FreeBSD 4.3 - everything standard.

If I 'setkey -F && setkey -FP', then I can see the other side of the
VPN, but I believe this removes all the security that I want IPSEC
for?

Oh ... and I'm using IPFW, not IPFILTER.

... Jamie

>In article <000001c0d46e$2feb6160$6419a8c0@jamie> freebsd@hermans.ca =
wrote:
>>Has anyone been successful getting IPSEC and NAT to play nicely =
together?
>>
>>I'm currently using a PPP over SSH tunnel, but ideally would like to =
get
>>something working that was not client -> server based as is with this =
PPP
>>setup.
>>
>>Any pointers would be GREATLY appreciated.
>
>Is the machine that's doing NAT the same as the machine doing IPsec?
>
>If not, you'll have to arrange for IP protocol 50 to be passed (and
>NATed) through your translator.  If your translator is some flavor
>of router (don't remember which at the instant), opening UDP port
>500 for ISAKMP will automagically redirect proto 50 and 51 (esp and
>ah), but that isn't universal behavior.
>
>Now, if someone wants to update libalias so it handles IPPROTO_ESP...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9rk6ftghhg3jcklq1dt8ht0p5nlh7qshgv>