From owner-freebsd-net@FreeBSD.ORG Thu Oct 20 22:24:01 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5305116A420 for ; Thu, 20 Oct 2005 22:24:01 +0000 (GMT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (unsane.co.uk [62.140.220.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8886B43D5A for ; Thu, 20 Oct 2005 22:24:00 +0000 (GMT) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (localhost [127.0.0.1]) by unsane.co.uk (8.13.4/8.13.3) with ESMTP id j9KMPV22018644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Oct 2005 23:25:31 +0100 (BST) (envelope-from jhary@unsane.co.uk) Received: from localhost (jhary@localhost) by unsane.co.uk (8.13.4/8.13.3/Submit) with ESMTP id j9KMPVf4018641; Thu, 20 Oct 2005 23:25:31 +0100 (BST) (envelope-from jhary@unsane.co.uk) Date: Thu, 20 Oct 2005 23:25:30 +0100 (BST) From: Vince Hoffman To: Holm Tiffe In-Reply-To: <20051019180114.GB38872@pegasus.freiberg-net.de> Message-ID: <20051020225940.H16510@unsane.co.uk> References: <20051019180114.GB38872@pegasus.freiberg-net.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: urgent: RELENG_5 ipfw/nat/IPSEC Problem.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2005 22:24:01 -0000 On Wed, 19 Oct 2005, Holm Tiffe wrote: > Hi, > > I have a currently big problem with the following setup: > > A FreeBSD Box, running 5_STABLE is connected wirh one interface to the > public, with the other to an nated' subnet with private address space. > I need to allow at least one host from inside the private network access > to an outside Cisco VPN concentrator. I've learned in the meantime, that > allowing udp connections from inside to the outside net and vis versa is'nt > doing the job. > (I've struggeled in the meantime over tcpdump, that is showing isakmp > packets leaving the external interface, but they dont't really do this..) > > What exactly I have to do get this working? > What I found I needed to do to connect to the work Cisco VPN through my FreeBSD NAT firewall was to tell it not to NAT the source port of the isakmp packets, as isakmps need to have source and destination port 500. using pf the command is (taken from man pf.conf) # Map outgoing packets' source port to an assigned proxy port instead of # an arbitrary port. # In this case, proxy outgoing isakmp with port 500 on the gateway. nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \ port 500 Not sure about the same for ipfw/natd but i'm sure its doable. Vince > The FreeBSD Box is out of reach (around 50km from here), I can't access the > hosts on the inside network and I dont't have access to the cisco > concentrator, so I can't test different setups .. > > Can please anyone help? > > Regards, > > Holm > > ps: please Cc me, I've currently not subscribed to this list. > -- > L&P::Kommunikation GbR Holm Tiffe * Administration, Development > FreibergNet.de Internet Systems phone +49 3731 419010 > Bereich Server & Technik fax +49 3731 4196026 > D-09599 Freiberg * Am St. Niclas Schacht 13 http://www.freibergnet.de > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >