From owner-freebsd-questions Mon Dec 11 15:33:21 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 11 15:33:19 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mukappa.home.com (c576194-a.saltlk1.ut.home.com [24.20.97.5]) by hub.freebsd.org (Postfix) with ESMTP id 08E0B37B400 for ; Mon, 11 Dec 2000 15:33:19 -0800 (PST) Received: from mukappa.home.com (mupi@localhost.home.com [127.0.0.1]) by mukappa.home.com (8.11.1/8.11.1) with SMTP id eBBNWr110182 for ; Mon, 11 Dec 2000 16:32:54 -0700 (MST) (envelope-from mupi@mknet.org) From: Mike Porter Reply-To: mupi@mknet.org To: freebsd-questions@freebsd.org Subject: IPSec through a NAT'd gateway Date: Mon, 11 Dec 2000 16:32:49 -0700 X-Mailer: KMail [version 1.1.94] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00121116324902.09639@mukappa.home.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Having spent the last 90 minutes or so reading the archives, I think there has been a lot said, but I haven't seen an answer to my specific question yet. It looks as though IPSec is by definition not supposed to be NATable, though using ESP seems to get around this "limitation". The problem we are having is that we are trying to run a "private" network through a freebsd gateway/firewall/NAT box to preserve IP namespace (we don't have enough to put all our workstations on the network, plus there is a lot more overhead if (when) we change ISPs. The problem arises in that each of the workstations (win98 boxen) must access a secured system (using Nortel's extranet client). It seems that one connection is able to get through, and then nobody else can connect. Thus, it appears that the 4.2-release natd is able to handle ESP and IPSec more-or-less correctly, but it only allows one client at a time? I recall having seen a message where someone with more programming skills than I thought they knew where to change something to allow it to work multiple times, but I never saw a response to that message. I guess there is a possibility of using a "one-to-one" NAT for the machines that need this access, but that sort of defeats the purpose of using NAT, as each machine must still have a "public" IP as well, though we could probably "share" some addresses (most of the workstations are not in use at any given time, so a 1:2 or 1:3 mapping would probably work, and help some. Finally, this seems to be mostly a natd issue? I haven't seen much about it being a problem with ipnat, though I guess that could just be that natd is more popular? In short, HELP!!! <(}: Any tips, pointers, hints, etc (even flames if they help me get this working) are welcome. And please cc me as I don't think my subscription has "taken" just yet.... mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjo1ZCUACgkQZ7GovTQbIm4jIgCgjwC4W58yyz7onIsY7Q2yERFQ 2C0Anjx3h/r4wqN9kRkIxCfLSi7fmG2/ =0I/o -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message