Date: Thu, 13 Nov 2003 15:23:47 -0500 From: "Thomas S. Crum" <tscrum@1wisp.com> To: "'Vincent Goupil'" <vgoupil@alis.com>, <freebsd-ipfw@freebsd.org>, <freebsd-net@freebsd.org>, <freebsd-isp@freebsd.org> Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_address) Message-ID: <000701c3aa24$0e11fbb0$6252eb44@wolf> In-Reply-To: <F7D4BDA0E5A1D14B99D32C022AEB7366FE109C@alis-2k.alis.domain>
next in thread | previous in thread | raw e-mail | index | archive | help
It's my understanding that certain IPSEC does not encrypt the entire packet, leaving the header to be mangled by nat or whatever and refused by the IPSEC machine that you are connecting to. I believe therein your problem lies. Best, Tom -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Vincent Goupil Sent: Thursday, November 13, 2003 12:46 PM To: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org'; 'freebsd-isp@freebsd.org' Subject: IPSec VPN & NATD (problem with alias_address vs redirect_address) I setup a firewall with ipfw2 and natd on freebsd 4.9 release. I have mapped my subnet with alias_address I have mapped 4 private ip address with 4 public ip address Everything is working fine (web, email, ftp, etc..) for outgoing and incoming connexion for anyone on my network. With this configuration, 5 person at a time (on my network) could dial to the same VPN server. 4 with different IP and the one with the alias_address. I supposed that only one person at a time can use the alias_address with the IPSec VPN (I think, tell me if I'm wrong) I have authorized AH and ESP to pass through my firewall. Also incoming UDP 500 I'm able to use the VPN for the people mapped with alias_address. I can't use the VPN with the people using the redirect_address. Is there any problem with the redirect_address directive with natd for the protocol 51 and 51. Is there any other way to have these 5 people at the same time to communicate to the same vpn server ? I though that I could use the redirect_address to do that. So the incoming connexion to the VPN server appear from a different IP source address. Vincent Goupil Administrateur r=E9seau / Network administrator _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c3aa24$0e11fbb0$6252eb44>