Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Apr 2000 01:50:42 -0400 (EDT)
From:      Jim Flowers <jflowers@ezo.net>
To:        Andy McConnell <andym@houseofcats.org>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: natd and passing ipsec data
Message-ID:  <Pine.BSI.3.91.1000410014410.10899N-100000@lily.ezo.net>
In-Reply-To: <Pine.BSF.4.10.10004071019390.33403-100000@neroon.houseofcats.org>

next in thread | previous in thread | raw e-mail | index | archive | help
I use NAT with SKIP (portocol 57) all the time.  You can't really mix 
security with NAT well but fortunately ipfw allows you to do both 
by bypassing NAT.  I just create ipfw rules that match the packets before 
they get to the divert rule, considering both encapsulated and 
unincapsulated addresses.

Don't know whether it will work for the ipsec stuff but the concepts are 
similar.

Jim Flowers <jflowers@ezo.net>
#4 ISP on C|NET, #1 in Ohio

On Sun, 9 Apr 2000, Andy McConnell wrote:

> I'm looking for a workaround to allow hosts on a private IP subnet to
> setup ipsec VPNs through a natd implementation.
> 
> I am using FreeBSD 3.4-RELEASE now as the natd/ipfw and router.  I have a
> 10.0.0.0/24 subnet inside, using a single IP address on the outside for
> NAT.  
> 
> I am looking to use a standard IPSec client (which uses AH and ESP, as
> well as IKE (udp port 500)) on one fo the inside clients.  I know AH won't
> work, but ESP *should* according to other recommendations.
> 
> I think now that the flavor of NAT I'm running will only support UDP and
> TCP.  I get the feeling that other IP flavors (protocols 50 and 50, AH and
> ESP) are ignored by this version of natd.
> 
> I have heard some reports from people running a Cisco PIX firewall that
> Cisco's NAT could do this.
> 
> Has anyone had success in this using a FreeBSD natd?
> 
> -Andy
> 
> 
> --
> Andy McConnell	andym@houseofcats.org
> 
> Those who make peaceful revolution impossible will make violent
> revolution inevitable.
>                                -- John F. Kennedy
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.1000410014410.10899N-100000>