From owner-freebsd-net@FreeBSD.ORG Sat Apr 9 16:59:27 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEB3016A4CF for ; Sat, 9 Apr 2005 16:59:27 +0000 (GMT) Received: from unsane.co.uk (unsane.co.uk [62.140.220.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8152B43D1D for ; Sat, 9 Apr 2005 16:59:26 +0000 (GMT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (localhost [127.0.0.1]) by unsane.co.uk (8.13.3/8.13.3) with ESMTP id j39Gx4ev036160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Apr 2005 17:59:05 +0100 (BST) (envelope-from jhary@unsane.co.uk) Received: from localhost (jhary@localhost) by unsane.co.uk (8.13.3/8.13.3/Submit) with ESMTP id j39Gx3fj036157; Sat, 9 Apr 2005 17:59:04 +0100 (BST) (envelope-from jhary@unsane.co.uk) Date: Sat, 9 Apr 2005 17:59:03 +0100 (BST) From: Vince Hoffman To: John Mok In-Reply-To: <4257F2A1.2060603@attglobal.net> Message-ID: <20050409174841.L35796@unsane.co.uk> References: <200504091337.j39Db6wv028638@unsane.co.uk> <4257F2A1.2060603@attglobal.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Firewall + NAT Traversal + IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Apr 2005 16:59:28 -0000 On Sat, 9 Apr 2005, John Mok wrote: > > To my understanding, the mechanism of how NAT works is that, the client > connections from the intranet are mapped to separate ports on the NAT with > one single IP address by means of a mapping table, such that the reply packet > from the outside to the NAT could be reversely mapped to the respective > client connections. If there are more than one VPN clients being NATed to the > VPN gateway, and all client isakmp connections to port 500 are mapped to port > 500 on the external interface of the NAT, then how the NAT could reversely > mapped the isakmp replies to the clients unambigously? > Sorry the one Caveat i forgot is that I can only have one VPN session at a time, If you are likely to have multiple users using the vpn at one time then it wont work. if you have multiple VPN users accessing the same checkpoint then have a look at making a lan to lan tunnel, see: http://www.freebsd.org/doc/en/articles/checkpoint/ its a little old and you need to do some config on the checkpoint, but its a good starting point. Vince > John Mok > > > Vince wrote: > >> I do this with the cisco VPN client (to PIX), I am firewalling with pf. >> Client --- FreeBSD firewall+NAT using pf --- internet - PIX >> >> The only problem I had was that isakmp needs to come from port 500 as well >> as go to port 500 so I needed to add a rule To stop pf changing the source >> port. My nat rules are: nat on $ext_if inet proto { tcp, udp } from >> $int_net port = 500 \ to any -> ($ext_if:0) port 500 >> nat on $ext_if from $int_net to any -> $ext_addr1 >> >> Havent tried checkpoint though. >> >> Vince >> >> >> >>> -----Original Message----- >>> From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] >>> On Behalf Of John Mok >>> Sent: 07 April 2005 17:15 >>> To: freebsd-net@freebsd.org >>> Subject: FreeBSD Firewall + NAT Traversal + IPsec >>> >>> Hi, >>> >>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall + NAT, >>> such that client PC(s) from the NATed internal network could connect to a >>> VPN gateway on the Internet :- >>> >>> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN >>> gateway >>> 192.168.x.x/16 (e.g. >>> Checkpoint FW-1) >>> (VPN client) >>> >>> I hope someone could help to advise what software is required on the >>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)? >>> >>> Thanks a lot. >>> >>> John Mok >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >