From owner-freebsd-isp Sun Apr 9 21:15:31 2000 Delivered-To: freebsd-isp@freebsd.org Received: from houseofcats.org (adsl-216-102-197-87.dsl.snfc21.pacbell.net [216.102.197.87]) by hub.freebsd.org (Postfix) with ESMTP id AB53F37B828 for ; Sun, 9 Apr 2000 21:15:28 -0700 (PDT) (envelope-from andym@houseofcats.org) Received: from adsl-216-102-197-87.dsl.snfc21.pacbell.net. (adsl-216-102-197-87.dsl.snfc21.pacbell.net. [216.102.197.87]) by houseofcats.org (8.9.3/8.9.2) with ESMTP id VAA58824 for ; Sun, 9 Apr 2000 21:15:27 -0700 (PDT) (envelope-from andym@houseofcats.org) Date: Sun, 9 Apr 2000 21:15:27 -0700 (PDT) From: Andy McConnell To: freebsd-isp@freebsd.org Subject: natd and passing ipsec data Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm looking for a workaround to allow hosts on a private IP subnet to setup ipsec VPNs through a natd implementation. I am using FreeBSD 3.4-RELEASE now as the natd/ipfw and router. I have a 10.0.0.0/24 subnet inside, using a single IP address on the outside for NAT. I am looking to use a standard IPSec client (which uses AH and ESP, as well as IKE (udp port 500)) on one fo the inside clients. I know AH won't work, but ESP *should* according to other recommendations. I think now that the flavor of NAT I'm running will only support UDP and TCP. I get the feeling that other IP flavors (protocols 50 and 50, AH and ESP) are ignored by this version of natd. I have heard some reports from people running a Cisco PIX firewall that Cisco's NAT could do this. Has anyone had success in this using a FreeBSD natd? -Andy -- Andy McConnell andym@houseofcats.org Those who make peaceful revolution impossible will make violent revolution inevitable. -- John F. Kennedy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message