From owner-freebsd-security@FreeBSD.ORG Thu May 1 15:35:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 824F337B401 for ; Thu, 1 May 2003 15:35:42 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADD2443FB1 for ; Thu, 1 May 2003 15:35:41 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc02.attbi.com (sccrmhc02) with ESMTP id <20030501223540002006js31e>; Thu, 1 May 2003 22:35:40 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h41MZcki085589; Thu, 1 May 2003 15:35:39 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h41MZbYG085588; Thu, 1 May 2003 15:35:37 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 1 May 2003 15:35:36 -0700 From: "Crist J. Clark" To: Guy Middleton Message-ID: <20030501223536.GA85493@blossom.cjclark.org> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> <20030430165348.A23754@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030430165348.A23754@chaos.obstruction.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 22:35:42 -0000 On Wed, Apr 30, 2003 at 04:53:48PM -0400, Guy Middleton wrote: > On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > > Guy Middleton writes: > > > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > > > I would like to set it up to transparently pass IPSec packets -- I have > > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > > > Is there a way to do this? I can't find any hints in the man pages. > > > > It's impossible. IPSEC can't be passed through a NAT. > > > > The best you could do would be to terminate the tunnel on the gateway itself. > > Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works > through a LinkSys router / NAT gateway (a BEFSR81) at a different location. > The LinkSys even has a friendly little check-box to allow IPSec pass-through. > > I would like the FreeBSD gateway to work the same way as the LinkSys. Have you tried it? A Cisco VPN client worked fine for me the first time I tried. Of course, we are using UDP encapsulation. And LinkSys routers have actually been the only thing we've found that manage to break the Cisco clients (the LinkSys "pass-through" was actually breaking it). Funny. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org