From owner-freebsd-net@FreeBSD.ORG  Sat Apr  9 13:37:50 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BE72716A4CE
	for <freebsd-net@freebsd.org>; Sat,  9 Apr 2005 13:37:50 +0000 (GMT)
Received: from unsane.co.uk (unsane.co.uk [62.140.220.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E7F0943D4C
	for <freebsd-net@freebsd.org>; Sat,  9 Apr 2005 13:37:48 +0000 (GMT)
	(envelope-from jhary@unsane.co.uk)
Received: from canth ([10.0.0.10])
	(authenticated bits=0)
	by unsane.co.uk (8.13.3/8.13.3) with ESMTP id j39Db6wv028638;
	Sat, 9 Apr 2005 14:37:06 +0100 (BST)
	(envelope-from jhary@unsane.co.uk)
Message-Id: <200504091337.j39Db6wv028638@unsane.co.uk>
From: "Vince" <jhary@unsane.co.uk>
To: "'John Mok'" <jmok@attglobal.net>, <freebsd-net@freebsd.org>
Date: Sat, 9 Apr 2005 14:37:24 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcU7jPffzzeD/di2QsyOE/Mhj+YNCABeqXgA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To: <42555C87.7030700@attglobal.net>
Subject: RE: FreeBSD Firewall + NAT Traversal + IPsec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2005 13:37:50 -0000

I do this with the cisco VPN client (to PIX), 
I am firewalling with pf. 

Client --- FreeBSD firewall+NAT using pf --- internet - PIX

The only problem I had was that isakmp needs to come from 
port 500 as well as go to port 500 so I needed to add a rule 
To stop pf changing the source port. My nat rules are: 
nat on $ext_if inet proto { tcp, udp } from $int_net port = 500 \ 
	to any -> ($ext_if:0) port 500
nat on $ext_if from $int_net to any -> $ext_addr1

Havent tried checkpoint though.

Vince


> -----Original Message-----
> From: owner-freebsd-net@freebsd.org 
> [mailto:owner-freebsd-net@freebsd.org] On Behalf Of John Mok
> Sent: 07 April 2005 17:15
> To: freebsd-net@freebsd.org
> Subject: FreeBSD Firewall + NAT Traversal + IPsec
> 
> Hi,
> 
> I'm new to FreeBSD. Is it possible make a FreeBSD box with 
> firewall + NAT, such that client PC(s) from the NATed 
> internal network could connect to a VPN gateway on the Internet :-
> 
>   client PC ----- FreeBSD Firewall + NAT ---- Internet ---- 
> IPsec VPN gateway
> 192.168.x.x/16                                              (e.g. 
> Checkpoint FW-1)
> (VPN client)
> 
> I hope someone could help to advise what software is required 
> on the FreeBSD box to NAT traversal work and where to get the 
> HOWTO(s)?
> 
> Thanks a lot.
> 
> John Mok
> 
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>