Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Nov 2003 15:23:47 -0500
From:      "Thomas S. Crum" <tscrum@1wisp.com>
To:        "'Vincent Goupil'" <vgoupil@alis.com>, <freebsd-ipfw@freebsd.org>, <freebsd-net@freebsd.org>, <freebsd-isp@freebsd.org>
Subject:   RE: IPSec VPN & NATD (problem with alias_address vs redirect_address)
Message-ID:  <000701c3aa24$0e11fbb0$6252eb44@wolf>
In-Reply-To: <F7D4BDA0E5A1D14B99D32C022AEB7366FE109C@alis-2k.alis.domain>

next in thread | previous in thread | raw e-mail | index | archive | help
It's my understanding that certain IPSEC does not encrypt the entire
packet, leaving the header to be mangled by nat or whatever and refused
by the IPSEC machine that you are connecting to.  I believe therein your
problem lies.

Best,

Tom

-----Original Message-----
From: owner-freebsd-ipfw@freebsd.org
[mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Vincent Goupil
Sent: Thursday, November 13, 2003 12:46 PM
To: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org';
'freebsd-isp@freebsd.org'
Subject: IPSec VPN & NATD (problem with alias_address vs
redirect_address)

I setup a firewall with ipfw2 and natd on freebsd 4.9 release.

I have mapped my subnet with alias_address
I have mapped 4 private ip address with 4 public ip address

Everything is working fine (web, email, ftp, etc..) for outgoing and
incoming connexion for anyone on my network.

With this configuration, 5 person at a time (on my network) could dial
to
the same VPN server.
4 with different IP and the one with the alias_address.  I supposed that
only one person at a time can use the alias_address with the IPSec VPN
(I
think, tell me if I'm wrong)

I have authorized AH and ESP to pass through my firewall.
Also incoming UDP 500

I'm able to use the VPN for the people mapped with alias_address.
I can't use the VPN with the people using the redirect_address.

Is there any problem with the redirect_address directive with natd for
the
protocol 51 and 51.

Is there any other way to have these 5 people at the same time to
communicate to the same vpn server ?
I though that I could use the redirect_address to do that.  So the
incoming
connexion to the VPN server appear from a different IP source address.

Vincent Goupil
Administrateur r=E9seau / Network administrator
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c3aa24$0e11fbb0$6252eb44>