Re: how to configure a FreeBSD firewall to pass IPSec?

From: Matt Piechota (piechota_at_argolis.org)
Date: 04/30/03

  • Next message: Guy Middleton: "Re: how to configure a FreeBSD firewall to pass IPSec?"
    Date: Wed, 30 Apr 2003 15:52:41 -0400 (EDT)
    To: Lowell Gilbert <freebsd-security-local@be-well.no-ip.com>
    
    

    On Wed, 30 Apr 2003, Lowell Gilbert wrote:

    > > I would like to set it up to transparently pass IPSec packets -- I have
    > > an IPSec VPN client running on another machine, connecting to a remote network.
    > >
    > > Is there a way to do this? I can't find any hints in the man pages.
    >
    > It's impossible. IPSEC can't be passed through a NAT.

    Actually, that's not strictly true. I've done such a thing myself, but
    with a trick: I blindly forwarded any packet from the tunnel-server to the
    client.

    The specifics:
    $WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do
    tunnelling, and assign the client a dynamic address. To do the
    forwarding, I set up a line like:
    redirect_proto tcp clientip natgwextip vpnserverip
    redirect_proto udp clientip natgwextip vpnserverip

    in /etc/natd.conf (and set rc.conf to have natd look at that file). It
    worked for me, although I suspect that if someone forged vpnserverip,
    they could sneak packets to my client machine. The client uses nortel's
    client, but watching what I could using a sniffer, it looked like a fairly
    normal IPSEC connect.

    Oddly enough, I was just going to ask how I'd do that forward using ipfw,
    ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd
    with ppp if I don't 'ppp -nat ...'?

    -- 
    Matt Piechota
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Guy Middleton: "Re: how to configure a FreeBSD firewall to pass IPSec?"