From owner-freebsd-questions@FreeBSD.ORG Mon Aug 10 20:52:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E84C3106564A for ; Mon, 10 Aug 2009 20:52:17 +0000 (UTC) (envelope-from jon@witchspace.com) Received: from queueout01-winn.ispmail.ntl.com (queueout01-winn.ispmail.ntl.com [81.103.221.31]) by mx1.freebsd.org (Postfix) with ESMTP id C59A38FC44 for ; Mon, 10 Aug 2009 20:52:12 +0000 (UTC) Received: from aamtaout03-winn.ispmail.ntl.com ([81.103.221.35]) by mtaout03-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20090810203112.BCZH5579.mtaout03-winn.ispmail.ntl.com@aamtaout03-winn.ispmail.ntl.com> for ; Mon, 10 Aug 2009 21:31:12 +0100 Received: from witchspace.com ([82.15.251.148]) by aamtaout03-winn.ispmail.ntl.com (InterMail vG.2.02.00.01 201-2161-120-102-20060912) with SMTP id <20090810203112.GIWX2093.aamtaout03-winn.ispmail.ntl.com@witchspace.com> for ; Mon, 10 Aug 2009 21:31:12 +0100 Received: (qmail 3905 invoked from network); 10 Aug 2009 20:31:09 -0000 Received: from unknown (HELO ?127.0.0.1?) (192.168.0.1) by dookie.home with SMTP; 10 Aug 2009 20:31:09 -0000 Message-ID: <4A808393.80501@witchspace.com> Date: Mon, 10 Aug 2009 21:31:15 +0100 From: Jonathan Belson User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Cloudmark-Analysis: v=1.0 c=1 a=6I5d2MoRAAAA:8 a=iVrAqghFAAAA:20 a=1XhGvPxol9Deifmkct0A:9 a=KRriczInkquSOOFHjEQ82kURFn8A:4 a=NK-rK5Mm1RkA:10 Subject: ipfw, NAT and CISCO IPSec VPNs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Aug 2009 20:52:18 -0000 Hiya I've got a pretty standard network which uses a FreeBSD server to perform NAT between my internal IPs (192.168.0.x) and the outside world. Everything is working tickety-boo, but I'm trying to tweak my firewall rules (ipfw, based on the 'SsIiMmPpLlEe' firewall template in rc.firewall) to allow a CISCO IPSec-based VPN client on a local machine to connect to a remote server (tunnel). tcpdump shows that the client attempts to send packets to the remote VPN server on port 500 (isakmp) as you'd expect, but it's not getting any packets back and so the connection fails. The following suggests that you can solve the problem by not changing the source port of the NATed packets, but gives a sample using pf: http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008749.html Other posts I've read say you can simply forward packets from the remote VPN server to the machine running the VPN client, but (needless to say) I haven't been able to get this to work: http://groups.google.com/group/comp.unix.bsd/browse_thread/thread/85d775a73e352aa5/f62e6b0d67b2d576 Any suggestions from people who have done similar before? Cheers, --Jon