Date: Mon, 10 Aug 2009 21:31:15 +0100 From: Jonathan Belson <jon@witchspace.com> To: freebsd-questions@freebsd.org Subject: ipfw, NAT and CISCO IPSec VPNs Message-ID: <4A808393.80501@witchspace.com>
next in thread | raw e-mail | index | archive | help
Hiya I've got a pretty standard network which uses a FreeBSD server to perform NAT between my internal IPs (192.168.0.x) and the outside world. Everything is working tickety-boo, but I'm trying to tweak my firewall rules (ipfw, based on the 'SsIiMmPpLlEe' firewall template in rc.firewall) to allow a CISCO IPSec-based VPN client on a local machine to connect to a remote server (tunnel). tcpdump shows that the client attempts to send packets to the remote VPN server on port 500 (isakmp) as you'd expect, but it's not getting any packets back and so the connection fails. The following suggests that you can solve the problem by not changing the source port of the NATed packets, but gives a sample using pf: http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008749.html Other posts I've read say you can simply forward packets from the remote VPN server to the machine running the VPN client, but (needless to say) I haven't been able to get this to work: http://groups.google.com/group/comp.unix.bsd/browse_thread/thread/85d775a73e352aa5/f62e6b0d67b2d576 Any suggestions from people who have done similar before? Cheers, --Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A808393.80501>