From owner-freebsd-isp@FreeBSD.ORG Thu Nov 13 09:46:28 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E831316A4CE; Thu, 13 Nov 2003 09:46:28 -0800 (PST) Received: from mtl.alis.com (mtl.alis.com [199.84.165.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE7ED43FE3; Thu, 13 Nov 2003 09:46:26 -0800 (PST) (envelope-from vgoupil@alis.com) Received: from alis-2k.alis.domain (alis-2k.alis.com [199.84.165.130]) by mtl.alis.com (8.12.8p2/8.12.8) with ESMTP id hADHkP5G018531; Thu, 13 Nov 2003 12:46:25 -0500 (EST) (envelope-from vgoupil@alis.com) Received: by alis-2k.alis.domain with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Nov 2003 12:46:25 -0500 Message-ID: From: Vincent Goupil To: "'freebsd-ipfw@freebsd.org'" , "'freebsd-net@freebsd.org'" , "'freebsd-isp@freebsd.org'" Date: Thu, 13 Nov 2003 12:46:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 17:46:29 -0000 I setup a firewall with ipfw2 and natd on freebsd 4.9 release. I have mapped my subnet with alias_address I have mapped 4 private ip address with 4 public ip address Everything is working fine (web, email, ftp, etc..) for outgoing and incoming connexion for anyone on my network. With this configuration, 5 person at a time (on my network) could dial = to the same VPN server. 4 with different IP and the one with the alias_address. I supposed = that only one person at a time can use the alias_address with the IPSec VPN = (I think, tell me if I'm wrong) I have authorized AH and ESP to pass through my firewall. Also incoming UDP 500 I'm able to use the VPN for the people mapped with alias_address. I can't use the VPN with the people using the redirect_address. Is there any problem with the redirect_address directive with natd for = the protocol 51 and 51. Is there any other way to have these 5 people at the same time to communicate to the same vpn server ? I though that I could use the redirect_address to do that. So the = incoming connexion to the VPN server appear from a different IP source address. Vincent Goupil Administrateur r=E9seau / Network administrator