From owner-freebsd-net@FreeBSD.ORG Thu Apr 7 17:56:24 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BE5F16A4CE for ; Thu, 7 Apr 2005 17:56:24 +0000 (GMT) Received: from hanghau.pacific.net.hk (hanghau.pacific.net.hk [202.64.33.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id E828B43D54 for ; Thu, 7 Apr 2005 17:56:23 +0000 (GMT) (envelope-from jmok@attglobal.net) Received: from [192.168.16.50] (154.159.17.210.fixed.pacific.net.hk [210.17.159.154]) by hanghau.pacific.net.hk with ESMTP id j37HuLHf023720; Fri, 8 Apr 2005 01:56:22 +0800 (CST) Message-ID: <42557445.6040402@attglobal.net> Date: Fri, 08 Apr 2005 01:56:21 +0800 From: John Mok User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tom Skeren , freebsd-net@freebsd.org References: <42555C87.7030700@attglobal.net> <425550E6.3080005@fsklaw.com> <42556B7E.5030703@attglobal.net> <42557193.9090509@fsklaw.com> In-Reply-To: <42557193.9090509@fsklaw.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Firewall + NAT Traversal + IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 17:56:24 -0000 The problem is that some visitors might need to connect to the home VPN gateway(s) from my work office. Thus, we could not decide which VPN gateway solution they use. On the other hand, what is the status of FreeBSD on the support of NAT-T? Would it be supported in FreeBSD in later issues, e.g. FreeBSD 5.4 or 6? Regards, John Mok Tom Skeren wrote: > John Mok wrote: > >> Dear Tom, >> >> Thank you for your quick reply. >> >> I would like to know more on the issue. To my understanding, since >> the source address of the IP packet from the client would be modified >> on the NAT, normally it would fail AH check on the IPsec VPN gateway, >> or the FreeBSD NAT has built-in compliance with RFC3947? > > > Yeah, that's correct, and I don't think traversal is supported in > FBSD. However, you might be able to use ipsec and racoon to tunnel > the NAT to the vpn. I don't know what device is at the other end of > the tunnel. I have a 7 office wan tunneled with FreeBSD gateways. > Works real spiffy. You might look into that option. > >> >> Thank you, John Mok >> >> >> Tom Skeren wrote: >> >>> John Mok wrote: >>> >>>> Hi, >>>> >>>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall >>>> + NAT, such that client PC(s) from the NATed internal network could >>>> connect to a VPN gateway on the Internet :- >>>> >>>> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec >>>> VPN gateway >>>> 192.168.x.x/16 (e.g. >>>> Checkpoint FW-1) >>>> (VPN client) >>>> >>>> I hope someone could help to advise what software is required on >>>> the FreeBSD box to NAT traversal work and where to get the HOWTO(s)? >>> >>> >>> Should be no problem. >>> >>> >>> >>> >>>> >>>> Thanks a lot. >>>> >>>> John Mok >>> >>>