Re: VPN through NAT?

---

• From: Chuck Swiger <cswiger@xxxxxxx>
• Date: Mon, 14 Aug 2006 11:53:04 -0700

---

On Aug 14, 2006, at 11:19 AM, Jeff Norris wrote:

IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn clients are the same. I use one that uses UDP port 10000 for nat traversal.

Cisco will use either 4500/udp or 10000/tcp; the former is supposed to be more friendly for NAT traversal. It also seems to want to use a high port in the 6xxxx range for a debug channel if you use the "connection diagnostics" via SDM on a Cisco VPN router.

I've done a fair amount of debugging this from both the client and the server side; you pretty much need to have the VPN endpoint (whether client or server) assigned a static IP for GRE protocol redirection to work, so if you are dealing with clients using dynamic IPs, you'll want to set up a static IP assignment via your DHCP server.

Place the following into /etc/natd.conf (if using IPFW+natd):

redirect_proto gre A.B.C.D
redirect_port tcp A.B.C.D:isakmp isakmp # port 500
redirect_port udp A.B.C.D:isakmp isakmp # port 500
redirect_port tcp A.B.C.D:pptp pptp # port 1723
redirect_port udp A.B.C.D:4500 4500
redirect_port tcp A.B.C.D:10000 10000
redirect_port udp A.B.C.D:62515 62515

...where, obviously, you would use the local IP address of the client or server instead of A.B.C.D. The above also seems to work OK with the Sonicwall VPN client and Microsoft's VPN remote access ("terminal services"? or whatever it's called).

If you have multiple clients trying to use the VPN from behind NAT, note that you can only have one VPN endpoint per externally routable IP, so you will have to configure separate natd's for each one. You'd probably be better off terminating the VPNs on the NAT machine if that is the case...

--
-Chuck

_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: VPN through NAT?
    • From: Brian Candler

• References:
  • Re: VPN through NAT?
    • From: Jeff Norris

• Prev by Date: Re: VPN through NAT?
• Next by Date: Re: VPN through NAT?
• Previous by thread: Re: VPN through NAT?
• Next by thread: Re: VPN through NAT?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: VPN clients unable to connect to other resources. ... gateway matches the IP of the remote client, and DNS and WINS point to the ... remote (although it takes close to a minute to connect, ... This is just regular Windows VPN, ... VPN server, remote routing and access running on the SBS 2003 server ... (microsoft.public.windows.server.sbs) RE: Problems with connectcomputer and active directory ... I understand that you would like to join a remote client to the domain. ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... Create a VPN connection to ISA/RRAS on the Internet ... (microsoft.public.windows.server.sbs) RE: Remote connectivity problems ... do you mean you have added a remote client to SBS ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... (microsoft.public.windows.server.sbs) Re: VPN clients unable to connect to other resources. ... Are you saying that an XP Home PC wouldn't be able to connect to a server share over VPN? ... Can ping the SBS but not the client PCs on the same network. ... gateway matches the IP of the remote client, ... (microsoft.public.windows.server.sbs) Re: Secure VPN access ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)