From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 12:30:28 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9385916A4DA for ; Mon, 14 Aug 2006 12:30:28 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9687643D6D for ; Mon, 14 Aug 2006 12:30:22 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 2D2893B5A0; Mon, 14 Aug 2006 08:30:43 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id D1F7563BCF; Mon, 14 Aug 2006 08:30:40 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GCbaD-000MIR-1d; Mon, 14 Aug 2006 13:30:17 +0100 Date: Mon, 14 Aug 2006 13:30:17 +0100 From: Brian Candler To: Jeff at NorrisTechs Message-ID: <20060814123016.GA85695@uk.tiscali.com> References: <44DF3565.1060506@psknet.com> <44DFC3B1.6010901@norristechs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44DFC3B1.6010901@norristechs.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 12:30:28 -0000 On Sun, Aug 13, 2006 at 06:28:33PM -0600, Jeff at NorrisTechs wrote: > I assume you have TCP port 1723 forwarding from the internet/dmz to the > PPTP host?. That should be enough for most PPTP based VPN clients. > > It's can be difficult with IPSEC as you have to forward UDP 500, > Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. If the *clients* are behind NAT, when running IPSEC there should be nothing to do. IPSEC uses UDP 500 (outbound) to start the key exchange, detects NAT, and then switches to UDP 4500 for IPSEC NAT traversal. It also sends NAT keepalive packets every 20 seconds by default. So if you have a NAT-aware IPSEC client, it should work with any old NAT firewall without any config changes on that firewall, as long as it allows outbound connections. It was designed to work in hotels etc. Microsoft's L2TP over IPSEC works just fine for this (with Win2K you need to install a NAT traversal patch). I've no idea about PPTP though. I don't use it, as it's generally considered insecure compared with IPSEC. I believe some routers have a "PPTP passthrough" mode, which you could try turning on (or off) to see if it fixes the problem. Regards, Brian.