From owner-freebsd-questions Thu Dec 2 19:52: 7 1999 Delivered-To: freebsd-questions@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id C7BE614CCE for ; Thu, 2 Dec 1999 19:52:04 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 87D7C1AE; Thu, 2 Dec 1999 21:51:33 -0600 (CST) Message-ID: <38473E45.53DD930@ahpcns.com> Date: Fri, 03 Dec 1999 03:51:33 +0000 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: snap-users@kame.net, "questions@freebsd.org" Subject: firewall rules for kame IPSEC over IPv4 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have a FreeBSD 3.3-STABLE box doing firewall duty. The box is doing NAT and IPFW filtering as well as some other services. I'd like it to be an IPSEC tunnel endpoint also. The other end of the tunnel will hopefully be a "watchguard Firebox II" which is a Linux based commercial firewall "appliance", although I could set up another Freebsd/kame box if there are interoperability problems. I have installed kame and built a new kernel on a test box, and I still have connectivity. I think I can handle the initial IPSEC configuration but I don't know what changes I'll need to make to my firewall rules so: 1. The firewall rules don't interfere with the tunnel 2. The traffic through the tunnel bypasses NAT (both "private" networks are using rfc 1918 addresses). Once I get this to work I'll be happy to document my experience for the benefit of those who follow. TIA ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message