Date: Thu, 14 Feb 2008 11:32:54 -0800 From: Chuck Swiger <cswiger@mac.com> To: Nerius Landys <nlandys@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: PF firewall NAT and Windows IPSEC tunnel Message-ID: <67B51E18-9FE1-410E-B128-809608B52C7C@mac.com> In-Reply-To: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com> References: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi-- On Feb 14, 2008, at 9:59 AM, Nerius Landys wrote: > Howdy folks. I have several computers behind a FreeBSD router (NAT > 192.168.0.x using OpenBSD's PF) . One of those computers is a Windows > machine which is using software called "Cisco Systems VPN Client" to > connect > to some other computers outside of our internal network. [ ... ] > The following ports should be allowed through the local firewall: > UDP port 500, port 10000 > ESP all ports > AH all ports When I was dealing with the Cisco VPN client, I was doing so with IPFW +natd and not PF, but you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 10000/tcp, and the GRE protocol. In my case, /etc/natd.conf contained: punch_fw 10000:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:10000 10000 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?67B51E18-9FE1-410E-B128-809608B52C7C>