From owner-freebsd-questions@FreeBSD.ORG Fri Oct 27 12:53:41 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EEB316A407 for ; Fri, 27 Oct 2006 12:53:41 +0000 (UTC) (envelope-from ml@t-b-o-h.net) Received: from vjofn.tucs-beachin-obx-house.com (vjofn.tucs-beachin-obx-house.com [204.107.90.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA3E043D7B for ; Fri, 27 Oct 2006 12:53:40 +0000 (GMT) (envelope-from ml@t-b-o-h.net) Received: from himinbjorg.tucs-beachin-obx-house.com (dpc6747145123.direcpc.com [67.47.145.123]) (authenticated bits=0) by vjofn.tucs-beachin-obx-house.com (8.12.9/8.12.9) with ESMTP id k9RCrXTM003864; Fri, 27 Oct 2006 08:53:38 -0400 (EDT) Received: from himinbjorg.tucs-beachin-obx-house.com (localhost.tucs-beachin-obx-house.com [127.0.0.1]) by himinbjorg.tucs-beachin-obx-house.com (8.13.6/8.13.6) with ESMTP id k9RCrT7f078670; Fri, 27 Oct 2006 08:53:31 -0400 (EDT) (envelope-from ml@t-b-o-h.net) Received: (from tbohml@localhost) by himinbjorg.tucs-beachin-obx-house.com (8.13.6/8.13.6/Submit) id k9RCrRn2078192; Fri, 27 Oct 2006 08:53:27 -0400 (EDT) (envelope-from tbohml) From: "Tuc at T-B-O-H.NET" Message-Id: <200610271253.k9RCrRn2078192@himinbjorg.tucs-beachin-obx-house.com> To: cswiger@mac.com (Chuck Swiger) Date: Fri, 27 Oct 2006 08:53:27 -0400 (EDT) In-Reply-To: <691257EF-3060-450B-90DB-E82DE4CEDEB2@mac.com> X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: "Tuc at T-B-O-H.NET" , freebsd-questions@freebsd.org Subject: Re: Tunnels to Cisco through NAT? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Oct 2006 12:53:41 -0000 > > On Oct 20, 2006, at 10:42 AM, Tuc at T-B-O-H.NET wrote: > > Is anyone aware of a tunnel between FreeBSD and Cisco that > > can go through a NAT on the Cisco side? > > If you update the Cisco firmware with the latest IOS+VPN version, you > ought to gain proper NAT-T support which will work with most IPSEC/ > VPN implementations. Otherwise, if you only need to implement a > single VPN tunnel, you can use something like OpenVPN, which only > needs you to forward a single UDP port (1194)... > Ok, I've : 1) Updated the IOS to c2500-ik8os-l.122-32 2) I've installed ipsec-tools on FreeBSD after applying the NAT-T patch (freebsd6-natt.diff) to 5.5-RELEASE-p8 and recompiling. 3) Set up on FreeBSD : ifconfig gre0 unplumb ifconfig gre0 create ifconfig gre0 192.168.4.1 192.168.4.2 netmask 0xffffffff link1 up ifconfig gre0 tunnel 192.136.64.116 69.28.185.2 4) Set up on Cisco : interface Tunnel0 ip address 192.168.4.2 255.255.255.0 tunnel source Ethernet0 tunnel destination 192.136.64.116 ! interface Ethernet0 ip address 69.28.185.2 255.255.255.240 So now I can ping across the GRE, which is really nice. So now the next part is getting IPSEC over it.... And I'm again stuck. I'm trying to use : http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml as a reference, but there seems to be alot more going on that really confuses me. Has anyone gone this route? Thanks, Tuc