Re: how to configure a FreeBSD firewall to pass IPSec?

From: Matt Piechota (
Date: 04/30/03

  • Next message: Guy Middleton: "Re: how to configure a FreeBSD firewall to pass IPSec?"
    Date: Wed, 30 Apr 2003 15:52:41 -0400 (EDT)
    To: Lowell Gilbert <>

    On Wed, 30 Apr 2003, Lowell Gilbert wrote:

    > > I would like to set it up to transparently pass IPSec packets -- I have
    > > an IPSec VPN client running on another machine, connecting to a remote network.
    > >
    > > Is there a way to do this? I can't find any hints in the man pages.
    > It's impossible. IPSEC can't be passed through a NAT.

    Actually, that's not strictly true. I've done such a thing myself, but
    with a trick: I blindly forwarded any packet from the tunnel-server to the

    The specifics:
    $WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do
    tunnelling, and assign the client a dynamic address. To do the
    forwarding, I set up a line like:
    redirect_proto tcp clientip natgwextip vpnserverip
    redirect_proto udp clientip natgwextip vpnserverip

    in /etc/natd.conf (and set rc.conf to have natd look at that file). It
    worked for me, although I suspect that if someone forged vpnserverip,
    they could sneak packets to my client machine. The client uses nortel's
    client, but watching what I could using a sniffer, it looked like a fairly
    normal IPSEC connect.

    Oddly enough, I was just going to ask how I'd do that forward using ipfw,
    ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd
    with ppp if I don't 'ppp -nat ...'?

    Matt Piechota
    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Guy Middleton: "Re: how to configure a FreeBSD firewall to pass IPSec?"

    Relevant Pages

    • Re: pppd doesnt find passwords
      ... currently i'm trying to set up a l2tp over ipsec vpn using a windows ... xp client and a linux openswan+kernel 2.6 ipsec. ... to accept password authentication from the client. ... They also assumes projekte is the client's name and not your system name. ...
    • Re: Outlook 2007 SP2 cannot open address list on Exchange Server
      ... cannot connect to Exchange 2003 from Outlook 2007 SP2 ... client. ... local LAN, but using an IPSec VPN causes the issue. ...
    • Inbound Packet Failed Authentication using Netscreen 10
      ... I've been trying to setup a L2TP + IPSec VPN using a Netscreen 10. ... get the client to authenticate and connect, however I can not ping anything ...
      ... I have a client who has an mpls network and redundant ipsec vpn on ...
    • Re: nat and ipfw
      ... > the packets to natd is one thing, ... rechecked the natd and ipfw configuration and rules. ... question because i am now asking why i am able to get out from a client ... on the subnet with ip when i open up the ipfw rules to ...