From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 15:13:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82B8837B401 for ; Wed, 30 Apr 2003 15:13:23 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0E3D43FA3 for ; Wed, 30 Apr 2003 15:13:22 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 6B9B415D for ; Wed, 30 Apr 2003 16:13:21 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h3UMDs210369 for freebsd-security@freebsd.org; Wed, 30 Apr 2003 16:13:54 -0600 Date: Wed, 30 Apr 2003 16:13:54 -0600 From: Tillman To: freebsd-security@freebsd.org Message-ID: <20030430161354.I1447@seekingfire.com> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> <20030430165348.A23754@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030430165348.A23754@chaos.obstruction.com>; from guy@obstruction.com on Wed, Apr 30, 2003 at 04:53:48PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 22:13:23 -0000 On Wed, Apr 30, 2003 at 04:53:48PM -0400, Guy Middleton wrote: > On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > > Guy Middleton writes: > > > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > > > I would like to set it up to transparently pass IPSec packets -- I have > > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > > > Is there a way to do this? I can't find any hints in the man pages. > > > > It's impossible. IPSEC can't be passed through a NAT. > > > > The best you could do would be to terminate the tunnel on the gateway itself. > > Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works > through a LinkSys router / NAT gateway (a BEFSR81) at a different location. > The LinkSys even has a friendly little check-box to allow IPSec pass-through. > > I would like the FreeBSD gateway to work the same way as the LinkSys. Cisco VPN has an option to encapsulate the tunnel in UDP packets. You'll want to find out which UDP is being used and ensure that it's NATed. - Tillman -- The prayer of the monk is not perfect until he no longer recognizes himself or the fact that he is praying. St. Anthony