From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 18:53:51 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F04316A4DA for ; Mon, 14 Aug 2006 18:53:51 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABB743DE4 for ; Mon, 14 Aug 2006 18:53:11 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/8.12.11/smtpout15/MantshX 4.0) with ESMTP id k7EIrASY023486; Mon, 14 Aug 2006 11:53:11 -0700 (PDT) Received: from [17.214.14.142] (a17-214-14-142.apple.com [17.214.14.142]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id k7EIr50u027067; Mon, 14 Aug 2006 11:53:09 -0700 (PDT) In-Reply-To: <200608141219.AA2031742@mail.norristechs.net> References: <200608141219.AA2031742@mail.norristechs.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 14 Aug 2006 11:53:04 -0700 To: jeff@norristechs.net X-Mailer: Apple Mail (2.752.2) Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 18:53:51 -0000 On Aug 14, 2006, at 11:19 AM, Jeff Norris wrote: > IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, > Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all > IPSEC vpn clients are the same. I use one that uses UDP port 10000 > for nat traversal. Cisco will use either 4500/udp or 10000/tcp; the former is supposed to be more friendly for NAT traversal. It also seems to want to use a high port in the 6xxxx range for a debug channel if you use the "connection diagnostics" via SDM on a Cisco VPN router. I've done a fair amount of debugging this from both the client and the server side; you pretty much need to have the VPN endpoint (whether client or server) assigned a static IP for GRE protocol redirection to work, so if you are dealing with clients using dynamic IPs, you'll want to set up a static IP assignment via your DHCP server. Place the following into /etc/natd.conf (if using IPFW+natd): redirect_proto gre A.B.C.D redirect_port tcp A.B.C.D:isakmp isakmp # port 500 redirect_port udp A.B.C.D:isakmp isakmp # port 500 redirect_port tcp A.B.C.D:pptp pptp # port 1723 redirect_port udp A.B.C.D:4500 4500 redirect_port tcp A.B.C.D:10000 10000 redirect_port udp A.B.C.D:62515 62515 ...where, obviously, you would use the local IP address of the client or server instead of A.B.C.D. The above also seems to work OK with the Sonicwall VPN client and Microsoft's VPN remote access ("terminal services"? or whatever it's called). If you have multiple clients trying to use the VPN from behind NAT, note that you can only have one VPN endpoint per externally routable IP, so you will have to configure separate natd's for each one. You'd probably be better off terminating the VPNs on the NAT machine if that is the case... -- -Chuck