Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Apr 2000 09:30:27 -0500 (EST)
From:      daemons <daemons@stumble.ath.cx>
To:        Julian Elischer <julian@elischer.org>
Cc:        net@FreeBSD.ORG
Subject:   Re: pptp over NAT? Impossible?
Message-ID:  <Pine.BSO.4.10.10004120925450.31937-100000@stumble.ath.cx>
In-Reply-To: <38F43C84.3F54BC7E@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

This can be done.  Here is an excert from an OpenBSD mailing list.. this
is for ipfilter of course...

DATE: 01/12/2000 08:53:29
SUBJECT: RE:  IPSec across a NAT
                
i`m not an expert, and i`m sure someone will tell me this
is no good, but this is what i do to get gre (for MS PPTP) to redirect.

Setup an external ip address specifically for ipsec in
ifaliases.

then in ipnat.rules
bimap mx0 *internalip*/32 -> *externalip*/32
rdr mx0 *externalip*/32 port 500 -> *internalip* port 500 udp
        
       (i assume you want to use ike with ipsec)

then in ipf.rules:
block in on mx0 from any to 207.103.201.143/32 head 1
pass in on mx0 proto esp from any to 207.103.201.143/32 group 1

That works for me to redirect gre, so i don`t see why it wouldn`t work
with esp.

               Luke

On Wed, 12 Apr 2000, Julian Elischer wrote:

> I've been beeting my head against a problem that I think 
> I suddenly understand..
> I've been trying to run a pptp session out from an address translated
> network (i.e. ppp -nat). It gets so far tand then stops.
> It has suddenly (after a day wasted) occured to me that 
> maybe the ppp negotiation is being carried by GRE and that 
> I'm guessing that GRE is not translatable.. (At least by
> ppp -nat). (what's happenning is that the ppp negotiating packets are
> getting lost in transit.)
> 
> Can anyone comment on this theory?
> 
> 
> -- 
>       __--_|\  Julian Elischer
>      /       \ julian@elischer.org
>     (   OZ    ) World tour 2000
> ---> X_.---._/  presently in:  Perth
>             v
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.10.10004120925450.31937-100000>