From owner-freebsd-net@FreeBSD.ORG Thu Apr 7 17:44:50 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F83816A4CE for ; Thu, 7 Apr 2005 17:44:50 +0000 (GMT) Received: from thor-new.fsklaw.com (adsl-64-174-116-34.dsl.lsan03.pacbell.net [64.174.116.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBB9F43D31 for ; Thu, 7 Apr 2005 17:44:49 +0000 (GMT) (envelope-from tms3@fsklaw.com) Received: from [192.168.62.181] by thor-new.fsklaw.com via SMTP (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.7.6)); Thu, 7 Apr 2005 10:45:50 -0700 Message-ID: <42557193.9090509@fsklaw.com> Date: Thu, 07 Apr 2005 10:44:51 -0700 From: Tom Skeren User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Mok References: <42555C87.7030700@attglobal.net> <425550E6.3080005@fsklaw.com> <42556B7E.5030703@attglobal.net> In-Reply-To: <42556B7E.5030703@attglobal.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-ArGoMail-Authenticated: tms3 cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Firewall + NAT Traversal + IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 17:44:50 -0000 John Mok wrote: > Dear Tom, > > Thank you for your quick reply. > > I would like to know more on the issue. To my understanding, since the > source address of the IP packet from the client would be modified on > the NAT, normally it would fail AH check on the IPsec VPN gateway, or > the FreeBSD NAT has built-in compliance with RFC3947? Yeah, that's correct, and I don't think traversal is supported in FBSD. However, you might be able to use ipsec and racoon to tunnel the NAT to the vpn. I don't know what device is at the other end of the tunnel. I have a 7 office wan tunneled with FreeBSD gateways. Works real spiffy. You might look into that option. > > Thank you, John Mok > > > Tom Skeren wrote: > >> John Mok wrote: >> >>> Hi, >>> >>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall >>> + NAT, such that client PC(s) from the NATed internal network could >>> connect to a VPN gateway on the Internet :- >>> >>> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN >>> gateway >>> 192.168.x.x/16 (e.g. >>> Checkpoint FW-1) >>> (VPN client) >>> >>> I hope someone could help to advise what software is required on the >>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)? >> >> >> >> Should be no problem. >> >> >> >> >>> >>> Thanks a lot. >>> >>> John Mok >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >