From owner-freebsd-security@FreeBSD.ORG  Wed Apr 30 06:55:28 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 655C437B401
	for <freebsd-security@freebsd.org>;
	Wed, 30 Apr 2003 06:55:28 -0700 (PDT)
Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B70DF43FD7
	for <freebsd-security@freebsd.org>;
	Wed, 30 Apr 2003 06:55:27 -0700 (PDT)
	(envelope-from danderse@flux.utah.edu)
Received: from bas.flux.utah.edu (localhost [127.0.0.1])
	by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id h3UDtRke055452;
	Wed, 30 Apr 2003 07:55:27 -0600 (MDT)
	(envelope-from danderse@bas.flux.utah.edu)
Received: (from danderse@localhost)
	by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id h3UDtR6o055451;
	Wed, 30 Apr 2003 07:55:27 -0600 (MDT)
Date: Wed, 30 Apr 2003 07:55:27 -0600
From: "David G. Andersen" <danderse@cs.utah.edu>
To: Guy Middleton <guy@obstruction.com>
Message-ID: <20030430075527.A54362@cs.utah.edu>
References: <20030430094537.A20710@chaos.obstruction.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030430094537.A20710@chaos.obstruction.com>;
	from guy@obstruction.com on Wed, Apr 30, 2003 at 09:45:37AM -0400
cc: freebsd-security@freebsd.org
Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2003 13:55:28 -0000

Guy Middleton just mooed:
> I have a FreeBSD box acting as a firewall and NAT gateway
> 
> I would like to set it up to transparently pass IPSec packets -- I have
> an IPSec VPN client running on another machine, connecting to a remote network.
> 
> Is there a way to do this?  I can't find any hints in the man pages.

  It's probably using either ipip, esp, or ipencap.  tcpdump the
traffic, and then permit whichever protocol it's using.

  permit esp from foo to bar

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.