From owner-freebsd-net@FreeBSD.ORG Sat Apr 9 15:20:11 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61B0716A4CE for ; Sat, 9 Apr 2005 15:20:11 +0000 (GMT) Received: from cwb.pacific.net.hk (cwb.pacific.net.hk [202.14.67.92]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9001F43D31 for ; Sat, 9 Apr 2005 15:20:10 +0000 (GMT) (envelope-from jmok@attglobal.net) Received: from [192.168.16.50] (154.159.17.210.fixed.pacific.net.hk [210.17.159.154]) by cwb.pacific.net.hk with ESMTP id j39FK3Ou011576; Sat, 9 Apr 2005 23:20:08 +0800 (CST) Message-ID: <4257F2A1.2060603@attglobal.net> Date: Sat, 09 Apr 2005 23:20:01 +0800 From: John Mok User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vince References: <200504091337.j39Db6wv028638@unsane.co.uk> In-Reply-To: <200504091337.j39Db6wv028638@unsane.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Firewall + NAT Traversal + IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Apr 2005 15:20:11 -0000 To my understanding, the mechanism of how NAT works is that, the client connections from the intranet are mapped to separate ports on the NAT with one single IP address by means of a mapping table, such that the reply packet from the outside to the NAT could be reversely mapped to the respective client connections. If there are more than one VPN clients being NATed to the VPN gateway, and all client isakmp connections to port 500 are mapped to port 500 on the external interface of the NAT, then how the NAT could reversely mapped the isakmp replies to the clients unambigously? John Mok Vince wrote: >I do this with the cisco VPN client (to PIX), >I am firewalling with pf. > >Client --- FreeBSD firewall+NAT using pf --- internet - PIX > >The only problem I had was that isakmp needs to come from >port 500 as well as go to port 500 so I needed to add a rule >To stop pf changing the source port. My nat rules are: >nat on $ext_if inet proto { tcp, udp } from $int_net port = 500 \ > to any -> ($ext_if:0) port 500 >nat on $ext_if from $int_net to any -> $ext_addr1 > >Havent tried checkpoint though. > >Vince > > > > >>-----Original Message----- >>From: owner-freebsd-net@freebsd.org >>[mailto:owner-freebsd-net@freebsd.org] On Behalf Of John Mok >>Sent: 07 April 2005 17:15 >>To: freebsd-net@freebsd.org >>Subject: FreeBSD Firewall + NAT Traversal + IPsec >> >>Hi, >> >>I'm new to FreeBSD. Is it possible make a FreeBSD box with >>firewall + NAT, such that client PC(s) from the NATed >>internal network could connect to a VPN gateway on the Internet :- >> >> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- >>IPsec VPN gateway >>192.168.x.x/16 (e.g. >>Checkpoint FW-1) >>(VPN client) >> >>I hope someone could help to advise what software is required >>on the FreeBSD box to NAT traversal work and where to get the >>HOWTO(s)? >> >>Thanks a lot. >> >>John Mok >> >>_______________________________________________ >>freebsd-net@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-net >>To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >> > >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > >