From owner-freebsd-security@FreeBSD.ORG  Wed Mar  7 16:30:41 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5307816A40A
	for <freebsd-security@freebsd.org>;
	Wed,  7 Mar 2007 16:30:41 +0000 (UTC)
	(envelope-from rjohanne@piper.hamline.edu)
Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101])
	by mx1.freebsd.org (Postfix) with ESMTP id 508F013C4C2
	for <freebsd-security@freebsd.org>;
	Wed,  7 Mar 2007 16:30:38 +0000 (UTC)
	(envelope-from rjohanne@piper.hamline.edu)
Received: from wnk (wnk [138.192.24.100])
	by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l27G0BQO022015;
	Wed, 7 Mar 2007 10:00:31 -0600 (CST)
Date: Wed, 7 Mar 2007 09:59:44 -0600 (CST)
From: Robert Johannes <rjohanne@piper.hamline.edu>
X-X-Sender: rjohanne@wnk.hamline.edu
To: greg.panula@lexisnexis.com
Message-ID: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org
Subject: freebsd vpn server behind nat dsl router
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2007 16:30:41 -0000

Hello Greg,
I am writing you, because I saw your responses to a couple of messages on 
the freebsd-security mailing list related to freebsd vpn and nat.

My situations is rather unique, and I am needing an expert's eyes to 
glance at it and confirm whether it is doable or not.  I have a simple 
diagram that illustrates what I am trying to do, and it is located here 
(about 40k): http://www.hamline.edu/~rjohanne/lan.jpg

In the diag, the dsl modems have dynamic public ips on the internet side, 
and private ips on the lan side.

As you can see in the diag, I am trying to have the vpn traffic from the 
internet forwarded to the Freebsd vpn (the machines ending in .254 on each 
site).  I have followed the Freebsd "VPN over Ipsec" in the handbook, and 
created a tunnel between the two vpn servers; according to the handbook, I 
should be able to ping the vpn servers using their private network 
addresses, but I am not able to do that.  I realize that my implementation 
is not exactly like the handbook's, but what do I need to do to get it to 
work?  I have googled, and researched all over the net without much 
progress.

I have seen a lot of messages related to nat and enabling vpn passthrough 
on different dsl modems and so forth, which I have tried to do, but still, 
no progress.

Any clues and pointers would be appreciated.

thanks
robert