Date: Mon, 02 Apr 2001 11:15:43 -0700 From: Crist Clark <cjclark@alum.mit.edu> To: Ian Cartwright <ian351c@home.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSec VPN Client behind Firewall Message-ID: <3AC8C1CF.30A5ACAD@alum.mit.edu> References: <FCEJJHIBHGNJPCHBDMACEEBDCAAA.ian351c@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Cartwright wrote: > > Hello All, > > I have been trying to install the Nortel Contivity Extranet Client on a > Windows 2000 box behind my FreeBSD firewall. The firewall is FreeBSD-STABLE > (as of about amonth ago) with ipfw and nat running. After, scanning as many > newsgroups, mailing lists and web pages as I could find on the subject, I > have still not found a way to do this... I have seen a couple discussion in > this newsgroup and a (hopefully) promising patch to ipfilter that may help > me (and whoever else is out there with my problem)... > > The web page is: http://www.cs.ndsu.nodak.edu/~davlarso/ipf/ > > Dave (the author of this patch) apparently has written an IPSec proxy module > for ipfilter. Is there any way to incorporate this code into ipfw, which (if > my understanding is correct, a small but real possibility ;-) is based on > ipfilter source? If so, would this be the forum to put this request to? I am > tempted to try to hack this in myself, but I don't understand how (if?) the > ipfilter code relates to the ipfw code in the source tree. This is really not a ipfw(8) issue, but rather a natd(8) one. Having said that, if you are just going to do ESP and we're doing standard IPsec, you need to poke a hole in the firewall for the ESP protocol (50) and IKE (500/udp) communications. natd(8) will handle the keying over UDP fine (since NAT of UDP and TCP are classics). As for ESP, last I knew, natd(8) will handle a single ESP association just fine. I've never used the Nortel client, but I've tested a Cisco IPsec client from behind a NAT'ing FreeBSD firewall without problems (using both naked ESP and UDP encapsulated (bleh!) ESP). The most likely place for problems will be in the key exchange and it might take deep voodoo to get that to go. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AC8C1CF.30A5ACAD>