From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 13:53:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA6737B401 for ; Wed, 30 Apr 2003 13:53:53 -0700 (PDT) Received: from obstruction.com (CPE00e018983b2f-CM013349903124.cpe.net.cable.rogers.com [24.157.68.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C03243FE0 for ; Wed, 30 Apr 2003 13:53:49 -0700 (PDT) (envelope-from guy@obstruction.com) Received: (from guy@localhost) by obstruction.com (8.9.2/8.9.2) id QAA23781; Wed, 30 Apr 2003 16:53:48 -0400 (EDT) (envelope-from guy) Date: Wed, 30 Apr 2003 16:53:48 -0400 From: Guy Middleton To: freebsd-security@freebsd.org Message-ID: <20030430165348.A23754@chaos.obstruction.com> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org>;02:50:44PM -0400 Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 20:53:54 -0000 On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > Guy Middleton writes: > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. > > The best you could do would be to terminate the tunnel on the gateway itself. Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works through a LinkSys router / NAT gateway (a BEFSR81) at a different location. The LinkSys even has a friendly little check-box to allow IPSec pass-through. I would like the FreeBSD gateway to work the same way as the LinkSys.