From owner-freebsd-questions Fri May 4 15:45: 2 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (wattres.watt.com [205.178.120.6]) by hub.freebsd.org (Postfix) with ESMTP id 8792E37B43C for ; Fri, 4 May 2001 15:44:57 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.3) id f44MiuY92230; Fri, 4 May 2001 15:44:56 -0700 (PDT) (envelope-from steve) Message-Id: <200105042244.f44MiuY92230@wattres.Watt.COM> X-Newsgroups: local.freebsd-questions In-Reply-To: <000001c0d46e$2feb6160$6419a8c0@jamie> Organization: Watt Consultants, San Jose, CA, USA From: steve@Watt.COM (Steve Watt) Date: Fri, 4 May 2001 15:44:56 -0700 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: questions@freebsd.org Subject: Re: VPN solutions ... using IPSEC *AND* NAT Cc: freebsd@hermans.ca Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In article <000001c0d46e$2feb6160$6419a8c0@jamie> freebsd@hermans.ca wrote: >Has anyone been successful getting IPSEC and NAT to play nicely together? > >I'm currently using a PPP over SSH tunnel, but ideally would like to get >something working that was not client -> server based as is with this PPP >setup. > >Any pointers would be GREATLY appreciated. Is the machine that's doing NAT the same as the machine doing IPsec? If not, you'll have to arrange for IP protocol 50 to be passed (and NATed) through your translator. If your translator is some flavor of router (don't remember which at the instant), opening UDP port 500 for ISAKMP will automagically redirect proto 50 and 51 (esp and ah), but that isn't universal behavior. Now, if someone wants to update libalias so it handles IPPROTO_ESP... -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message