From owner-freebsd-net  Wed Apr 12  6:32:47 2000
Delivered-To: freebsd-net@freebsd.org
Received: from stumble.ath.cx (winterpark-ubr-a-c5s2-164.cfl.rr.com [24.26.121.164])
	by hub.freebsd.org (Postfix) with ESMTP id 4B9C937B9CD
	for <net@FreeBSD.ORG>; Wed, 12 Apr 2000 06:32:44 -0700 (PDT)
	(envelope-from daemons@stumble.ath.cx)
Received: from localhost (daemons@localhost)
	by stumble.ath.cx (8.9.3/8.9.3) with ESMTP id JAA16667;
	Wed, 12 Apr 2000 09:30:28 -0500 (EST)
Date: Wed, 12 Apr 2000 09:30:27 -0500 (EST)
From: daemons <daemons@stumble.ath.cx>
To: Julian Elischer <julian@elischer.org>
Cc: net@FreeBSD.ORG
Subject: Re: pptp over NAT? Impossible?
In-Reply-To: <38F43C84.3F54BC7E@elischer.org>
Message-ID: <Pine.BSO.4.10.10004120925450.31937-100000@stumble.ath.cx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This can be done.  Here is an excert from an OpenBSD mailing list.. this
is for ipfilter of course...

DATE: 01/12/2000 08:53:29
SUBJECT: RE:  IPSec across a NAT
                
i`m not an expert, and i`m sure someone will tell me this
is no good, but this is what i do to get gre (for MS PPTP) to redirect.

Setup an external ip address specifically for ipsec in
ifaliases.

then in ipnat.rules
bimap mx0 *internalip*/32 -> *externalip*/32
rdr mx0 *externalip*/32 port 500 -> *internalip* port 500 udp
        
       (i assume you want to use ike with ipsec)

then in ipf.rules:
block in on mx0 from any to 207.103.201.143/32 head 1
pass in on mx0 proto esp from any to 207.103.201.143/32 group 1

That works for me to redirect gre, so i don`t see why it wouldn`t work
with esp.

               Luke

On Wed, 12 Apr 2000, Julian Elischer wrote:

> I've been beeting my head against a problem that I think 
> I suddenly understand..
> I've been trying to run a pptp session out from an address translated
> network (i.e. ppp -nat). It gets so far tand then stops.
> It has suddenly (after a day wasted) occured to me that 
> maybe the ppp negotiation is being carried by GRE and that 
> I'm guessing that GRE is not translatable.. (At least by
> ppp -nat). (what's happenning is that the ppp negotiating packets are
> getting lost in transit.)
> 
> Can anyone comment on this theory?
> 
> 
> -- 
>       __--_|\  Julian Elischer
>      /       \ julian@elischer.org
>     (   OZ    ) World tour 2000
> ---> X_.---._/  presently in:  Perth
>             v
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message