From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 12:51:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6BC637B401 for ; Wed, 30 Apr 2003 12:51:31 -0700 (PDT) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id B645843FCB for ; Wed, 30 Apr 2003 12:51:28 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 9102 invoked from network); 30 Apr 2003 19:51:48 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.116.73) by graceland.gigatrex.com with SMTP; 30 Apr 2003 19:51:48 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) h3UJqgiN024656; Wed, 30 Apr 2003 15:52:42 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h3UJqfPC024653; Wed, 30 Apr 2003 15:52:42 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 30 Apr 2003 15:52:41 -0400 (EDT) From: Matt Piechota To: Lowell Gilbert In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org> Message-ID: <20030430154157.U24608@cithaeron.argolis.org> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 19:51:32 -0000 On Wed, 30 Apr 2003, Lowell Gilbert wrote: > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. Actually, that's not strictly true. I've done such a thing myself, but with a trick: I blindly forwarded any packet from the tunnel-server to the client. The specifics: $WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do tunnelling, and assign the client a dynamic address. To do the forwarding, I set up a line like: redirect_proto tcp clientip natgwextip vpnserverip redirect_proto udp clientip natgwextip vpnserverip in /etc/natd.conf (and set rc.conf to have natd look at that file). It worked for me, although I suspect that if someone forged vpnserverip, they could sneak packets to my client machine. The client uses nortel's client, but watching what I could using a sniffer, it looked like a fairly normal IPSEC connect. Oddly enough, I was just going to ask how I'd do that forward using ipfw, ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd with ppp if I don't 'ppp -nat ...'? -- Matt Piechota