Re: how to configure a FreeBSD firewall to pass IPSec?
From: Matt Piechota (piechota_at_argolis.org)
Date: Wed, 30 Apr 2003 15:52:41 -0400 (EDT) To: Lowell Gilbert <firstname.lastname@example.org>
On Wed, 30 Apr 2003, Lowell Gilbert wrote:
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> > Is there a way to do this? I can't find any hints in the man pages.
> It's impossible. IPSEC can't be passed through a NAT.
Actually, that's not strictly true. I've done such a thing myself, but
with a trick: I blindly forwarded any packet from the tunnel-server to the
$WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do
tunnelling, and assign the client a dynamic address. To do the
forwarding, I set up a line like:
redirect_proto tcp clientip natgwextip vpnserverip
redirect_proto udp clientip natgwextip vpnserverip
in /etc/natd.conf (and set rc.conf to have natd look at that file). It
worked for me, although I suspect that if someone forged vpnserverip,
they could sneak packets to my client machine. The client uses nortel's
client, but watching what I could using a sniffer, it looked like a fairly
normal IPSEC connect.
Oddly enough, I was just going to ask how I'd do that forward using ipfw,
ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd
with ppp if I don't 'ppp -nat ...'?
-- Matt Piechota _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"