From owner-freebsd-net@FreeBSD.ORG Thu Apr 24 18:10:41 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DC04106564A for ; Thu, 24 Apr 2008 18:10:41 +0000 (UTC) (envelope-from baldur@foo.is) Received: from gremlin.foo.is (gremlin.foo.is [194.105.250.10]) by mx1.freebsd.org (Postfix) with ESMTP id 1EBB48FC1D for ; Thu, 24 Apr 2008 18:10:41 +0000 (UTC) (envelope-from baldur@foo.is) Received: from 127.0.0.1 (localhost.foo.is [127.0.0.1]) by injector.foo.is (Postfix) with SMTP id 25120DA883; Thu, 24 Apr 2008 18:10:39 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on gremlin.foo.is X-Spam-Level: X-Spam-Status: No, score=-2.6 required=6.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.1.7 Received: by gremlin.foo.is (Postfix, from userid 1000) id F30BCDA87E; Thu, 24 Apr 2008 18:10:35 +0000 (GMT) Date: Thu, 24 Apr 2008 18:10:35 +0000 From: Baldur Gislason To: Steve Bertrand Message-ID: <20080424181035.GC66873@gremlin.foo.is> References: <4808A15E.4030007@ibctech.ca> <20080418133417.GA66873@gremlin.foo.is> <481078F6.9010108@ibctech.ca> In-Reply-To: <481078F6.9010108@ibctech.ca> User-Agent: Mutt/1.4.2.2i X-Sanitizer: Foo MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline Cc: freebsd-net@freebsd.org Subject: Re: IPIP tunnel behind NAT X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2008 18:10:41 -0000 You need to do do a one-to-one NAT, so protocol 94 (IPIP) packets get forwarded. It's not TCP or UDP, so no ports there. Alternatively, you can set up a NAT traversing IPSEC-in-UDP tunnel, but that requires a kernel patch. Baldur On Thu, Apr 24, 2008 at 08:11:34AM -0400, Steve Bertrand wrote: > Baldur Gislason wrote: > >It'll work fine. I've done this several times before. > > Hmmm. I still can't seem to get this setup to work. The FreeBSD box is > in behind a Fortigate 200 unit. > > >However I've also had NAT implementations which didn't work this way but > >this one should definitely work. > > Are there any ports that need to be opened on the Fortigate to allow the > tunnel traffic through? There appears to be no place in the Fortigate to > pass protocol 41 traffic. > > Thanks, > > Steve > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >