Date: Mon, 14 Aug 2006 11:53:04 -0700 From: Chuck Swiger <cswiger@mac.com> To: jeff@norristechs.net Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? Message-ID: <DFFD05B9-3A23-403E-95D4-28DB53621643@mac.com> In-Reply-To: <200608141219.AA2031742@mail.norristechs.net> References: <200608141219.AA2031742@mail.norristechs.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 14, 2006, at 11:19 AM, Jeff Norris wrote:
> IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco,
> Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all
> IPSEC vpn clients are the same. I use one that uses UDP port 10000
> for nat traversal.
Cisco will use either 4500/udp or 10000/tcp; the former is supposed
to be more friendly for NAT traversal. It also seems to want to use
a high port in the 6xxxx range for a debug channel if you use the
"connection diagnostics" via SDM on a Cisco VPN router.
I've done a fair amount of debugging this from both the client and
the server side; you pretty much need to have the VPN endpoint
(whether client or server) assigned a static IP for GRE protocol
redirection to work, so if you are dealing with clients using dynamic
IPs, you'll want to set up a static IP assignment via your DHCP server.
Place the following into /etc/natd.conf (if using IPFW+natd):
redirect_proto gre A.B.C.D
redirect_port tcp A.B.C.D:isakmp isakmp # port 500
redirect_port udp A.B.C.D:isakmp isakmp # port 500
redirect_port tcp A.B.C.D:pptp pptp # port 1723
redirect_port udp A.B.C.D:4500 4500
redirect_port tcp A.B.C.D:10000 10000
redirect_port udp A.B.C.D:62515 62515
...where, obviously, you would use the local IP address of the client
or server instead of A.B.C.D. The above also seems to work OK with
the Sonicwall VPN client and Microsoft's VPN remote access ("terminal
services"? or whatever it's called).
If you have multiple clients trying to use the VPN from behind NAT,
note that you can only have one VPN endpoint per externally routable
IP, so you will have to configure separate natd's for each one.
You'd probably be better off terminating the VPNs on the NAT machine
if that is the case...
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DFFD05B9-3A23-403E-95D4-28DB53621643>