Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 May 2001 19:13:06 -0600
From:      Jamie Hermans <>
To:        steve@Watt.COM (Steve Watt),
Subject:   Re: VPN solutions ... using IPSEC *AND* NAT
Message-ID:  <>
In-Reply-To: <200105042244.f44MiuY92230@wattres.Watt.COM>
References:  <000001c0d46e$2feb6160$6419a8c0@jamie> <200105042244.f44MiuY92230@wattres.Watt.COM>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, 4 May 2001 15:44:56 -0700, steve@Watt.COM (Steve Watt) wrote:

It's an all-in-one server.  FreeBSD 4.3 - everything standard.

If I 'setkey -F && setkey -FP', then I can see the other side of the
VPN, but I believe this removes all the security that I want IPSEC

Oh ... and I'm using IPFW, not IPFILTER.

... Jamie

>In article <000001c0d46e$2feb6160$6419a8c0@jamie> =
>>Has anyone been successful getting IPSEC and NAT to play nicely =
>>I'm currently using a PPP over SSH tunnel, but ideally would like to =
>>something working that was not client -> server based as is with this =
>>Any pointers would be GREATLY appreciated.
>Is the machine that's doing NAT the same as the machine doing IPsec?
>If not, you'll have to arrange for IP protocol 50 to be passed (and
>NATed) through your translator.  If your translator is some flavor
>of router (don't remember which at the instant), opening UDP port
>500 for ISAKMP will automagically redirect proto 50 and 51 (esp and
>ah), but that isn't universal behavior.
>Now, if someone wants to update libalias so it handles IPPROTO_ESP...

To Unsubscribe: send mail to
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <>