Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Dec 2000 16:32:49 -0700
From:      Mike Porter <mupi@mknet.org>
To:        freebsd-questions@freebsd.org
Subject:   IPSec through a NAT'd gateway
Message-ID:  <00121116324902.09639@mukappa.home.com>

next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Having spent the last 90 minutes or so reading the archives, I think there 
has been a lot said, but I haven't seen an answer to my specific question yet.

It looks as though IPSec is by definition not supposed to be NATable, though 
using ESP seems to get around this "limitation".

The problem we are having is that we are trying to run a "private" network 
through a freebsd gateway/firewall/NAT box to preserve IP namespace (we don't 
have enough to put all our workstations on the network, plus there is a lot 
more overhead if (when) we change ISPs.  The problem arises in that each of 
the workstations (win98 boxen) must access a secured system (using Nortel's 
extranet client).  It seems that one connection is able to get through, and 
then nobody else can connect.  Thus, it appears that the 4.2-release natd is 
able to handle ESP and IPSec more-or-less correctly, but it only allows one 
client at a time?

I recall having seen a message where someone with more programming skills 
than I thought they knew where to change something to allow it to work 
multiple times, but I never saw a response to that message.

I guess there is a possibility of using a "one-to-one" NAT for the machines 
that need this access, but that sort of defeats the purpose of using NAT, as 
each machine must still have a "public" IP as well, though we could probably 
"share" some addresses (most of the workstations are not in use at any given 
time, so a 1:2 or 1:3 mapping would probably work, and help some.

Finally, this seems to be mostly a natd issue?  I haven't seen much about it 
being a problem with ipnat, though I guess that could just be that natd is 
more popular?

In short, HELP!!! <(}:

Any tips, pointers, hints, etc (even flames if they help me get this working) 
are welcome.  And please cc me as I don't think my subscription has "taken" 
just yet....

mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjo1ZCUACgkQZ7GovTQbIm4jIgCgjwC4W58yyz7onIsY7Q2yERFQ
2C0Anjx3h/r4wqN9kRkIxCfLSi7fmG2/
=0I/o
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00121116324902.09639>