From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 18:19:43 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 091F316A4DD for ; Mon, 14 Aug 2006 18:19:43 +0000 (UTC) (envelope-from jeff@norristechs.net) Received: from mail.norristechs.net (scooby.norristechs.net [71.36.89.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 852A143D5E for ; Mon, 14 Aug 2006 18:19:33 +0000 (GMT) (envelope-from jeff@norristechs.net) Received: from 63.71.72.19 with HTTP by webserver mail.norristechs.net ($virtual001) ; Mon, 14 Aug 2006 12:19:30 MDT Date: Mon, 14 Aug 2006 12:19:30 -0600 Message-Id: <200608141219.AA2031742@mail.norristechs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jeff Norris" X-Sender: To: Jeff at NorrisTechs , Brian Candler X-Mailer: Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jeff@norristechs.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 18:19:43 -0000 Brian, IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn clients are the same. I use one that uses UDP port 10000 for nat traversal. Cheers ---------- Original Message ---------------------------------- From: Brian Candler Date: Mon, 14 Aug 2006 13:30:17 +0100 >On Sun, Aug 13, 2006 at 06:28:33PM -0600, Jeff at NorrisTechs wrote: >> I assume you have TCP port 1723 forwarding from the internet/dmz to the >> PPTP host?. That should be enough for most PPTP based VPN clients. >> >> It's can be difficult with IPSEC as you have to forward UDP 500, >> Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. > >If the *clients* are behind NAT, when running IPSEC there should be nothing >to do. > >IPSEC uses UDP 500 (outbound) to start the key exchange, detects NAT, and >then switches to UDP 4500 for IPSEC NAT traversal. It also sends NAT >keepalive packets every 20 seconds by default. > >So if you have a NAT-aware IPSEC client, it should work with any old NAT >firewall without any config changes on that firewall, as long as it allows >outbound connections. It was designed to work in hotels etc. > >Microsoft's L2TP over IPSEC works just fine for this (with Win2K you need to >install a NAT traversal patch). I've no idea about PPTP though. I don't use >it, as it's generally considered insecure compared with IPSEC. > >I believe some routers have a "PPTP passthrough" mode, which you could try >turning on (or off) to see if it fixes the problem. > >Regards, > >Brian. >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > ________________________________________________________________ Sent via the WebMail system at mail.norristechs.net