From owner-freebsd-questions@FreeBSD.ORG  Sun Nov 25 18:59:18 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EEBF316A41B
	for <freebsd-questions@freebsd.org>;
	Sun, 25 Nov 2007 18:59:18 +0000 (UTC)
	(envelope-from quakenet1@optusnet.com.au)
Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au
	[211.29.132.197])
	by mx1.freebsd.org (Postfix) with ESMTP id 71B7313C46E
	for <freebsd-questions@freebsd.org>;
	Sun, 25 Nov 2007 18:59:18 +0000 (UTC)
	(envelope-from quakenet1@optusnet.com.au)
Received: from [10.0.0.3] (c220-239-172-188.belrs4.nsw.optusnet.com.au
	[220.239.172.188])
	by mail16.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	lAPIxGqu025432; Mon, 26 Nov 2007 05:59:16 +1100
In-Reply-To: <4749B54C.8000703@passagen.se>
References: <7BB1A732-4F07-499E-A183-22776FEEEE90@optusnet.com.au>	<47482C2C.6010700@passagen.se>	<894E3C92-2C45-4FC2-8C56-D4B303F0349F@optusnet.com.au>	<4748A115.1010002@passagen.se>	<57A2907C-0660-458C-B254-3C893B4532CB@optusnet.com.au>	<47498012.9000201@passagen.se>
	<AADC85EE-9C53-459E-9E6E-F1A701BDC7D9@optusnet.com.au>
	<4749B54C.8000703@passagen.se>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <F9EE8494-4DC3-4A84-8606-D8C75248A33F@optusnet.com.au>
Content-Transfer-Encoding: 7bit
From: Jerahmy Pocott <quakenet1@optusnet.com.au>
Date: Mon, 26 Nov 2007 05:59:15 +1100
To: Roger Olofsson <raggen@passagen.se>
X-Mailer: Apple Mail (2.752.2)
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Difficulties establishing VPN tunnel with IPNAT
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Nov 2007 18:59:19 -0000


On 26/11/2007, at 4:47 AM, Roger Olofsson wrote:
> Hello Jerahmy,
>
> Some progress it seems? Why not set it to allow gre from VPN server  
> only? Ie pass in quick on fxp1 proto gre from <vpn server ip> to any?
>
> The way you ask your question, 'make it work without static ip or  
> allowing all traffic', isn't that contradictory?
>
> As for the frag part, I'd say that if gre needs frag, then you will  
> have to enable it.
>
> About the CVS, I seem to have misunderstood your question. I  
> assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it  
> outbound, or am I mistaking again?
>
> /Roger

Yes, that is what I meant by 'static ip' I could allow all gre from  
the specific ip address
but I would prefer that gre traffic be allowed from a host only when  
an existing connection
has been opened to it..

10.0.0.2 is a CVS server.

It seems to me that natd works better with ipsec