From owner-freebsd-net@FreeBSD.ORG Thu Feb 14 19:32:55 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92F1B16A417 for ; Thu, 14 Feb 2008 19:32:55 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id 9047513C45D for ; Thu, 14 Feb 2008 19:32:55 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id 67C2A223024D; Thu, 14 Feb 2008 11:32:55 -0800 (PST) Received: from relay13.apple.com (unknown [127.0.0.1]) by relay13.apple.com (Symantec Mail Security) with ESMTP id 457A32808C; Thu, 14 Feb 2008 11:32:55 -0800 (PST) X-AuditID: 1180711d-993e5bb000001e9b-11-47b497673f55 Received: from cswiger1.apple.com (cswiger1.apple.com [17.214.13.96]) by relay13.apple.com (Apple SCV relay) with ESMTP id 2290D2808B; Thu, 14 Feb 2008 11:32:55 -0800 (PST) Message-Id: <67B51E18-9FE1-410E-B128-809608B52C7C@mac.com> From: Chuck Swiger To: Nerius Landys In-Reply-To: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Thu, 14 Feb 2008 11:32:54 -0800 References: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com> X-Mailer: Apple Mail (2.919.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-net@freebsd.org Subject: Re: PF firewall NAT and Windows IPSEC tunnel X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2008 19:32:55 -0000 Hi-- On Feb 14, 2008, at 9:59 AM, Nerius Landys wrote: > Howdy folks. I have several computers behind a FreeBSD router (NAT > 192.168.0.x using OpenBSD's PF) . One of those computers is a Windows > machine which is using software called "Cisco Systems VPN Client" to > connect > to some other computers outside of our internal network. [ ... ] > The following ports should be allowed through the local firewall: > UDP port 500, port 10000 > ESP all ports > AH all ports When I was dealing with the Cisco VPN client, I was doing so with IPFW +natd and not PF, but you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 10000/tcp, and the GRE protocol. In my case, /etc/natd.conf contained: punch_fw 10000:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:10000 10000 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. -- -Chuck