From owner-freebsd-pf@FreeBSD.ORG  Tue Apr 24 15:12:17 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 59A3516A401
	for <freebsd-pf@freebsd.org>; Tue, 24 Apr 2007 15:12:17 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 1EB1713C43E
	for <freebsd-pf@freebsd.org>; Tue, 24 Apr 2007 15:12:17 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id C06393F1F; Tue, 24 Apr 2007 16:49:36 +0200 (CEST)
Date: Tue, 24 Apr 2007 16:49:36 +0200
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-pf@freebsd.org
Message-ID: <20070424144936.GA11566@zen.inc>
References: <462DFB71.5050003@attglobal.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <462DFB71.5050003@attglobal.net>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re: NAT-T support in FreeBSD + PF
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2007 15:12:17 -0000

On Tue, Apr 24, 2007 at 08:43:29PM +0800, John Mok wrote:
> Hi,

Hi.

> I would like to build a NAT firewall box using FreeBSD + PF at work.
> However, I hope someone could advise if PF could support NAT-T, such 
> that the IPSec client connections (e.g. a visitor notebook with IPSec 
> client) inside the company Intranet could successfully connect passing 
> through the NAT box to the Internet IPSec gateway (e.g. the home network 
> of a visitor) .

Your PF will "just" see two UDP pseudo-sessions (one on dport 500 for
the beggining of the negociation, one on dport 4500 for all the
remaining negociations and for all traffic), so there is no need for
specific NAT-T support, you just need to allow outgoing UDP traffic to
port 500/4500, and incoming replies.

That was the main goal of NAT-T: routers/NAT devices on the way just
have to work as usual....



Yvan.

-- 
NETASQ
http://www.netasq.com