RE: FreeBSD Firewall + NAT Traversal + IPsec

From: Vince (jhary_at_unsane.co.uk)
Date: 04/09/05

  • Next message: John Mok: "Re: FreeBSD Firewall + NAT Traversal + IPsec" 
    To: "'John Mok'" <jmok@attglobal.net>, <freebsd-net@freebsd.org>
Date: Sat, 9 Apr 2005 14:37:24 +0100

    I do this with the cisco VPN client (to PIX),
    I am firewalling with pf.

    Client --- FreeBSD firewall+NAT using pf --- internet - PIX

    The only problem I had was that isakmp needs to come from
    port 500 as well as go to port 500 so I needed to add a rule
    To stop pf changing the source port. My nat rules are:
    nat on $ext_if inet proto { tcp, udp } from $int_net port = 500 \
            to any -> ($ext_if:0) port 500
    nat on $ext_if from $int_net to any -> $ext_addr1

    Havent tried checkpoint though.

    Vince

    > -----Original Message-----
    > From: owner-freebsd-net@freebsd.org
    > [mailto:owner-freebsd-net@freebsd.org] On Behalf Of John Mok
    > Sent: 07 April 2005 17:15
    > To: freebsd-net@freebsd.org
    > Subject: FreeBSD Firewall + NAT Traversal + IPsec
    >
    > Hi,
    >
    > I'm new to FreeBSD. Is it possible make a FreeBSD box with
    > firewall + NAT, such that client PC(s) from the NATed
    > internal network could connect to a VPN gateway on the Internet :-
    >
    > client PC ----- FreeBSD Firewall + NAT ---- Internet ----
    > IPsec VPN gateway
    > 192.168.x.x/16 (e.g.
    > Checkpoint FW-1)
    > (VPN client)
    >
    > I hope someone could help to advise what software is required
    > on the FreeBSD box to NAT traversal work and where to get the
    > HOWTO(s)?
    >
    > Thanks a lot.
    >
    > John Mok
    >
    > _______________________________________________
    > freebsd-net@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-net
    > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    >

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: John Mok: "Re: FreeBSD Firewall + NAT Traversal + IPsec"

    Relevant Pages

    • Re: VPN over UMTS
      ... I'm not sure if the USA group can give any input to this or if I have a somehow European problem as it's related to a UMTS connection. ... they assign private IP addresses and apparently do NAT for Internet access. ... In this setup, the Cisco VPN client does not work but as soon as I'm requesting a public address, things work fine. ... Vodafone offers a public IP address to the client and the VPN Client does NOT use udp encapsulation for NAT/PAT traversal. ...
      (comp.dcom.sys.cisco)
    • Re: Cant get L2TP VPN working with NAT...PPTP works fine
      ... My wife uses a VPN client over the same network connection that I use. ... The second I put my pc behind a router with nat (netgear ...
      (microsoft.public.win2000.networking)
    • Re: Using Cisco VPN over a SBS 2003 network
      ... You'll have to examine the VPN client & server configuration, but the defaults for both are to use "native" IPSec, which does not ... tolerate NAT. ... IPSec NAT-T to change the source port. ... Incompatibility between fixed IKE source ports and NAPT. ...
      (microsoft.public.windows.server.sbs)
    • Re: Connection to SonicWall VPN through Linux IPTABLES Firewall/Proxy
      ... >> unable to connect to a SonicWall VPN server from behind that box. ... Given that all NAT traffic is going to ... I don't think that's actually required when the packets are being ... > I use a Cisco VPN client through my firewall without a problem. ...
      (comp.security.firewalls)
    • Watchguard VPN client through Firewall-1 v4.1
      ... Quick question to see if this is possible before I go spending lots of time ... Locally I have a Windows XP client, ... We are using NAT and the VPN/Firewall at the other end also uses NAT is this ... PS I tried a the Cisco VPN client to a PIX and saw similar problems. ...
      (comp.security.firewalls)