Date: Thu, 1 May 2003 15:35:36 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Guy Middleton <guy@obstruction.com> Cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <20030501223536.GA85493@blossom.cjclark.org> In-Reply-To: <20030430165348.A23754@chaos.obstruction.com> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> <20030430165348.A23754@chaos.obstruction.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 30, 2003 at 04:53:48PM -0400, Guy Middleton wrote:
> On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote:
> > Guy Middleton <guy@obstruction.com> writes:
> >
> > > I have a FreeBSD box acting as a firewall and NAT gateway
> > >
> > > I would like to set it up to transparently pass IPSec packets -- I have
> > > an IPSec VPN client running on another machine, connecting to a remote network.
> > >
> > > Is there a way to do this? I can't find any hints in the man pages.
> >
> > It's impossible. IPSEC can't be passed through a NAT.
> >
> > The best you could do would be to terminate the tunnel on the gateway itself.
>
> Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works
> through a LinkSys router / NAT gateway (a BEFSR81) at a different location.
> The LinkSys even has a friendly little check-box to allow IPSec pass-through.
>
> I would like the FreeBSD gateway to work the same way as the LinkSys.
Have you tried it? A Cisco VPN client worked fine for me the first
time I tried. Of course, we are using UDP encapsulation. And LinkSys
routers have actually been the only thing we've found that manage to
break the Cisco clients (the LinkSys "pass-through" was actually
breaking it). Funny.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030501223536.GA85493>