From owner-freebsd-net@FreeBSD.ORG Thu Dec 11 12:39:41 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F1D310656D5 for ; Thu, 11 Dec 2008 12:39:41 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5FCD78FC08 for ; Thu, 11 Dec 2008 12:39:41 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 653DB2798B8; Thu, 11 Dec 2008 13:39:39 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id C193217054; Thu, 11 Dec 2008 13:39:58 +0100 (CET) Date: Thu, 11 Dec 2008 13:39:58 +0100 From: VANHULLEBUS Yvan To: Gabe Message-ID: <20081211123958.GA5332@zeninc.net> References: <20081211122828.CF3958FC16@mx1.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081211122828.CF3958FC16@mx1.freebsd.org> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: NAT-T + ipsec integration X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2008 12:39:41 -0000 On Thu, Dec 11, 2008 at 04:02:01AM -0800, Gabe wrote: > Hello all Hi. > Does anyone know how to enable nat traversal on freebsd? > > I've got a site to site ipsec tunnel setup but clients behind the > nat can't vpn through it. Any help would be appreciated. Actually, you can apply a patch to src/sys and recompile your kernel with IPSEC_NAT_T options. Patches are available here: http://people.freebsd.org/~vanhu/NAT-T/ You can also try to play with Perforce's branch, but it is still work in progress to have a cleaned up version of PFKey interface (it may work, but I just started to set up some testing hosts). To answer the question some people may ask in this thread: the whole patch should be included in TRUNK as soon as PFKey cleanup will be done (which means "implemented + heavilly tested + reviewed"). Yvan.