Re: how to configure a FreeBSD firewall to pass IPSec?

• Previous message: Eric Anderson: "Re: how to configure a FreeBSD firewall to pass IPSec?"
• In reply to: Lowell Gilbert: "Re: how to configure a FreeBSD firewall to pass IPSec?"
• Next in thread: Matt Piechota: "Re: how to configure a FreeBSD firewall to pass IPSec?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 30 Apr 2003 12:35:01 -0700
To: freebsd-security@freebsd.org

On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote:
> Guy Middleton <guy@obstruction.com> writes:
>
> > I have a FreeBSD box acting as a firewall and NAT gateway
> >
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> >
> > Is there a way to do this? I can't find any hints in the man pages.
>
> It's impossible. IPSEC can't be passed through a NAT.

That totally depends on what the endpoint is, and what the IPSEC client
supports. Nortel and Cisco (and most other commercial IPSEC device
vendors AFAIK) support this draft:

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt

NAT traversal through IKE is now a reality. The vendor's documentation
will detail what other ports must be passed, on either side, to fully
support this. ISTR that it requires an additional UDP port.

I have succesfully (and repeatedly) used Nortel VPN client on a NATed
host through a FreeBSD gateway.

-- 
Greg White
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Eric Anderson: "Re: how to configure a FreeBSD firewall to pass IPSec?"
• In reply to: Lowell Gilbert: "Re: how to configure a FreeBSD firewall to pass IPSec?"
• Next in thread: Matt Piechota: "Re: how to configure a FreeBSD firewall to pass IPSec?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ... (microsoft.public.de.german.windowsxp.networking) Re: IPsec + NAT + mehrere Tunnelendpunkte ... Ist der VPN-Endpunkt ein Cisco Concentrator oder eine PIX? ... Und warum macht er dort ueberhaupt doppelt NAT? ... Session-Keys des IPSEC Tunnels verwendet. ... (de.comp.security.firewall) Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ... (microsoft.public.win2000.security) Re: IPSEC VPN NAT ... There are a number of problems with using IPsec over NAT devices. ... All VPN clients must be using the IPsec NAT-T VPN client. ... (microsoft.public.isaserver) Re: IPSEC VPN NAT ... ISA/VPN and try to reproduce the setup, ... There are a number of problems with using IPsec over NAT devices. ... All VPN clients must be using the IPsec NAT-T VPN client. ... (microsoft.public.isaserver)