Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: how to configure a FreeBSD firewall to pass IPSec?

From: Greg White (gregw-freebsd-securitygreg.cex.ca)
Date: Wed Apr 30 2003 - 14:35:01 CDT

On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote:
> Guy Middleton <guyobstruction.com> writes:
> > I have a FreeBSD box acting as a firewall and NAT gateway
> >
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> >
> > Is there a way to do this? I can't find any hints in the man pages.
> It's impossible. IPSEC can't be passed through a NAT.

That totally depends on what the endpoint is, and what the IPSEC client
supports. Nortel and Cisco (and most other commercial IPSEC device
vendors AFAIK) support this draft:


NAT traversal through IKE is now a reality. The vendor's documentation
will detail what other ports must be passed, on either side, to fully
support this. ISTR that it requires an additional UDP port.

I have succesfully (and repeatedly) used Nortel VPN client on a NATed
host through a FreeBSD gateway.

Greg White
freebsd-securityfreebsd.org mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"