From owner-freebsd-security@FreeBSD.ORG  Wed Apr 30 12:04:10 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9DDE337B401
	for <freebsd-security@freebsd.org>;
	Wed, 30 Apr 2003 12:04:10 -0700 (PDT)
Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C59A143FBD
	for <freebsd-security@freebsd.org>;
	Wed, 30 Apr 2003 12:04:09 -0700 (PDT)
	(envelope-from anderson@centtech.com)
Received: from centtech.com (electron.centtech.com [204.177.173.173])
	by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h3UJ4756028126;
	Wed, 30 Apr 2003 14:04:07 -0500 (CDT)
	(envelope-from anderson@centtech.com)
Message-ID: <3EB01E1E.1040808@centtech.com>
Date: Wed, 30 Apr 2003 14:03:58 -0500
From: Eric Anderson <anderson@centtech.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US;
	rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Lowell Gilbert <freebsd-security-local@be-well.no-ip.com>
References: <20030430094537.A20710@chaos.obstruction.com>
	<44k7dbn7jv.fsf@be-well.ilk.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-security@freebsd.org
Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2003 19:04:10 -0000

Lowell Gilbert wrote:
> Guy Middleton <guy@obstruction.com> writes:
> 
> 
>>I have a FreeBSD box acting as a firewall and NAT gateway
>>
>>I would like to set it up to transparently pass IPSec packets -- I have
>>an IPSec VPN client running on another machine, connecting to a remote network.
>>
>>Is there a way to do this?  I can't find any hints in the man pages.
> 
> 
> It's impossible.  IPSEC can't be passed through a NAT.
> 
> The best you could do would be to terminate the tunnel on the gateway itself.


It actually depends on what is being "ipsec"'ed .. but for most real 
uses, you are right..

Eric


-- 
------------------------------------------------------------------
Eric Anderson	   Systems Administrator      Centaur Technology
Attitudes are contagious, is yours worth catching?
------------------------------------------------------------------