From owner-freebsd-net  Wed May 30 22:29:40 2001
Delivered-To: freebsd-net@freebsd.org
Received: from mail.datausa.com (mail.datausa.com [207.174.131.1])
	by hub.freebsd.org (Postfix) with ESMTP id 1101A37B424
	for <freebsd-net@freebsd.org>; Wed, 30 May 2001 22:29:37 -0700 (PDT)
	(envelope-from brad@wcubed.net)
Received: from localhost (brad@localhost)
	by mail.datausa.com (8.9.3/8.9.1) with ESMTP id XAA92806
	for <freebsd-net@freebsd.org>; Wed, 30 May 2001 23:23:06 -0600 (MDT)
Date: Wed, 30 May 2001 23:23:06 -0600 (MDT)
From: Brad Waite <brad@wcubed.net>
X-Sender: brad@mail.datausa.com
To: freebsd-net@freebsd.org
Subject: IPSec/NAT single gateway?
Message-ID: <Pine.BSF.4.21.0105301847220.79384-100000@mail.datausa.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hey there, all you network gurus,

I'm attempting to connect two office LANs over the Net with a VPN.  I was
originally looking at vpnd, but it appears that everything I need is available
in the 4.3 kernel via IPsec.

The two offices are running Windows (95, 98, & NT4) on the desktop and are
connected to the net via DSL.  While I will have static external IPs to work
with, it's likely that the DSL router is set up in PPP mode with NAT enabled.

Assuming DSL router's inside address is 10.0.0.1, would I want to set my
gateway's outside IF to 10.0.0.2 and the inside to 10.0.1.1, with all the
desktops on the 10.0.1 network?

Here's what I'm thinking:


            < PC net on 10.0.3.0 >
                      |
                      |
             |---- 10.0.3.1 ----|
             |       FBSD       |
             |---- 10.0.2.2 ----|
                      |
                      |
             |---- 10.0.2.1 ----|
             |    DSL Router    |
             |---- Inet addr ---|
                      |
                      |
		 (~~~~~~~~~)
	        (           )
	       (  The Big I  )
	        (           )
		 (_________)
                      |
                      |
             |---- Inet addr ---|
             |    DSL Router    |
             |---- 10.0.0.1 ----|
                      |
                      |
             |---- 10.0.0.2 ----|
             |       FBSD       |
             |---- 10.0.1.1 ----|
                      |
                      |
            < PC net on 10.0.1.0 >

Will this work, or will the DSL router's NAT break IPsec?  Also, are there
problems with traffic to/from the Internet?  Should I NAT that, or just use a
255.255.0.0 mask?

Thanks much in advance,

Brad Waite
brad@wcubed.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message