Date: Mon, 10 Apr 2000 01:50:42 -0400 (EDT) From: Jim Flowers <jflowers@ezo.net> To: Andy McConnell <andym@houseofcats.org> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: natd and passing ipsec data Message-ID: <Pine.BSI.3.91.1000410014410.10899N-100000@lily.ezo.net> In-Reply-To: <Pine.BSF.4.10.10004071019390.33403-100000@neroon.houseofcats.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I use NAT with SKIP (portocol 57) all the time. You can't really mix security with NAT well but fortunately ipfw allows you to do both by bypassing NAT. I just create ipfw rules that match the packets before they get to the divert rule, considering both encapsulated and unincapsulated addresses. Don't know whether it will work for the ipsec stuff but the concepts are similar. Jim Flowers <jflowers@ezo.net> #4 ISP on C|NET, #1 in Ohio On Sun, 9 Apr 2000, Andy McConnell wrote: > I'm looking for a workaround to allow hosts on a private IP subnet to > setup ipsec VPNs through a natd implementation. > > I am using FreeBSD 3.4-RELEASE now as the natd/ipfw and router. I have a > 10.0.0.0/24 subnet inside, using a single IP address on the outside for > NAT. > > I am looking to use a standard IPSec client (which uses AH and ESP, as > well as IKE (udp port 500)) on one fo the inside clients. I know AH won't > work, but ESP *should* according to other recommendations. > > I think now that the flavor of NAT I'm running will only support UDP and > TCP. I get the feeling that other IP flavors (protocols 50 and 50, AH and > ESP) are ignored by this version of natd. > > I have heard some reports from people running a Cisco PIX firewall that > Cisco's NAT could do this. > > Has anyone had success in this using a FreeBSD natd? > > -Andy > > > -- > Andy McConnell andym@houseofcats.org > > Those who make peaceful revolution impossible will make violent > revolution inevitable. > -- John F. Kennedy > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.1000410014410.10899N-100000>