From owner-freebsd-questions  Fri May  4 18:13:15 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from zaltana.hermans.ca (188.209-115-183-0.interbaun.com [209.115.183.188])
	by hub.freebsd.org (Postfix) with ESMTP id D824D37B422
	for <questions@freebsd.org>; Fri,  4 May 2001 18:13:10 -0700 (PDT)
	(envelope-from dev-null@hermans.ca)
Received: from jamie (jamie.inside.hermans.ca [192.168.25.100])
	by zaltana.hermans.ca (8.11.3/8.11.3) with SMTP id f451D7i28128;
	Fri, 4 May 2001 19:13:07 -0600 (MDT)
	(envelope-from dev-null@hermans.ca)
From: Jamie Hermans <dev-null@hermans.ca>
To: steve@Watt.COM (Steve Watt), questions@freebsd.org
Subject: Re: VPN solutions ... using IPSEC *AND* NAT
Date: Fri, 04 May 2001 19:13:06 -0600
Organization: hermans.ca
Message-ID: <9rk6ftghhg3jcklq1dt8ht0p5nlh7qshgv@4ax.com>
References: <000001c0d46e$2feb6160$6419a8c0@jamie> <200105042244.f44MiuY92230@wattres.Watt.COM>
In-Reply-To: <200105042244.f44MiuY92230@wattres.Watt.COM>
X-Mailer: Forte Agent 1.8/32.548
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 4 May 2001 15:44:56 -0700, steve@Watt.COM (Steve Watt) wrote:

It's an all-in-one server.  FreeBSD 4.3 - everything standard.

If I 'setkey -F && setkey -FP', then I can see the other side of the
VPN, but I believe this removes all the security that I want IPSEC
for?

Oh ... and I'm using IPFW, not IPFILTER.

... Jamie

>In article <000001c0d46e$2feb6160$6419a8c0@jamie> freebsd@hermans.ca =
wrote:
>>Has anyone been successful getting IPSEC and NAT to play nicely =
together?
>>
>>I'm currently using a PPP over SSH tunnel, but ideally would like to =
get
>>something working that was not client -> server based as is with this =
PPP
>>setup.
>>
>>Any pointers would be GREATLY appreciated.
>
>Is the machine that's doing NAT the same as the machine doing IPsec?
>
>If not, you'll have to arrange for IP protocol 50 to be passed (and
>NATed) through your translator.  If your translator is some flavor
>of router (don't remember which at the instant), opening UDP port
>500 for ISAKMP will automagically redirect proto 50 and 51 (esp and
>ah), but that isn't universal behavior.
>
>Now, if someone wants to update libalias so it handles IPPROTO_ESP...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message