From owner-freebsd-security@FreeBSD.ORG  Wed Apr 30 12:34:38 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A1D6937B401
	for <freebsd-security@freebsd.org>;
	Wed, 30 Apr 2003 12:34:38 -0700 (PDT)
Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100])
	by mx1.FreeBSD.org (Postfix) with SMTP id AFAD843F75
	for <freebsd-security@freebsd.org>;
	Wed, 30 Apr 2003 12:34:37 -0700 (PDT)
	(envelope-from gregw-freebsd-security@greg.cex.ca)
Received: (qmail 20520 invoked by uid 1001); 30 Apr 2003 19:35:01 -0000
Date: Wed, 30 Apr 2003 12:35:01 -0700
From: Greg White <gregw-freebsd-security@greg.cex.ca>
To: freebsd-security@freebsd.org
Message-ID: <20030430123501.A20461@greg.cex.ca>
Mail-Followup-To: freebsd-security@freebsd.org
References: <20030430094537.A20710@chaos.obstruction.com>
	<44k7dbn7jv.fsf@be-well.ilk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org>;02:50:44PM -0400
Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2003 19:34:39 -0000

On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote:
> Guy Middleton <guy@obstruction.com> writes:
> 
> > I have a FreeBSD box acting as a firewall and NAT gateway
> > 
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> > 
> > Is there a way to do this?  I can't find any hints in the man pages.
> 
> It's impossible.  IPSEC can't be passed through a NAT.

That totally depends on what the endpoint is, and what the IPSEC client
supports. Nortel and Cisco (and most other commercial IPSEC device
vendors AFAIK) support this draft:

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt

NAT traversal through IKE is now a reality. The vendor's documentation
will detail what other ports must be passed, on either side, to fully
support this. ISTR that it requires an additional UDP port.

I have succesfully (and repeatedly) used Nortel VPN client on a NATed
host through a FreeBSD gateway.

-- 
Greg White