From owner-freebsd-questions Mon Feb 10 4:41:45 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29CDD37B405 for ; Mon, 10 Feb 2003 04:41:43 -0800 (PST) Received: from apollo.laserfence.net (apollo.laserfence.net [196.44.69.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31AAB43F85 for ; Mon, 10 Feb 2003 04:41:39 -0800 (PST) (envelope-from will@unfoldings.net) Received: from localhost ([127.0.0.1]) by apollo.laserfence.net with esmtp (Exim 4.10) id 18iDFZ-0006aY-00; Mon, 10 Feb 2003 14:41:29 +0200 Received: from prometheus-p0.datel.laserfence.net ([192.168.255.1] helo=prometheus.home.laserfence.net) by apollo.laserfence.net with esmtp (Exim 4.10) id 18iDFG-0006aA-00; Mon, 10 Feb 2003 14:41:11 +0200 Received: from phoenix.home.laserfence.net ([192.168.0.2]) by prometheus.home.laserfence.net with esmtp (Exim 4.10) id 18iDF0-000KX8-00; Mon, 10 Feb 2003 14:40:54 +0200 Received: from will by phoenix.home.laserfence.net with local (Exim 4.10) id 18iDEz-0000DB-00; Mon, 10 Feb 2003 14:40:53 +0200 From: Willie Viljoen To: "Pranas Baliuka" Subject: Re: How to avoid NAT for VPN addresses Date: Mon, 10 Feb 2003 14:40:53 +0200 User-Agent: KMail/1.5 References: In-Reply-To: Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200302101440.53269.will@unfoldings.net> X-Spam-Score: (/) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18iDFG-0006aA-00*Gb3gj8lvQ72* X-Virus-Scanned: by AMaViS snapshot-20020422 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Because (I assume) you have only one IP address, anything behind your gateway has to get NATed for it to be able to connect to the internet. A VPN connection (generally) has to run two ways, so doing it behind NAT will be problematic. The best thing to do is either to apply for a routable IP address range (a /28 range will do for most networks) and route real IP via your gateway (make sure to firewall properly) If that's not possible, get them to assign extra IPs to you, of the same number as the amount of boxes you have doing VPN, then set up the addresses as aliases on your gateway and do static NAT. If your VPN solution has the ability to set the port it communicates on, you could also use portforwarding from the gateway to the machines, but that is problematic at the best of times. If you *HAVE* routable IP ranges behind your NAT and you simply want them to bypass the NAT, the easiest way is to run natd with the -u switch. This will cause natd to only operate on unregistered (eg, 10.0.0.0/8, 192.168.0.0/16) addresses. Will On Monday 10 February 2003 15:26, Pranas Baliuka wrote: > Can someone explain me how to avoid NAT for specific IP ranges? > I have configured IPSec (racoon and setkey) VPN works with gateway > (FreeBSD 4.6), but windows workstations are not able to use VPN > connections. I guess there are collisions with NAT and IPSec, but I need > NAT for accessing internet via my ISP. > > Thanks, > Pranas Baliuka > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Willie Viljoen Freelance IT Consultant 214 Paul Kruger Avenue, Universitas Bloemfontein 9321 South Africa +27 51 522 15 60 +27 51 522 44 36 (after hours) +27 82 404 03 27 (mobile) will@unfoldings.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message