OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: how to configure a FreeBSD firewall to pass IPSec?

From: Greg White (gregw-freebsd-securitygreg.cex.ca)
Date: Wed Apr 30 2003 - 14:35:01 CDT


On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote:
> Guy Middleton <guyobstruction.com> writes:
>
> > I have a FreeBSD box acting as a firewall and NAT gateway
> >
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> >
> > Is there a way to do this? I can't find any hints in the man pages.
>
> It's impossible. IPSEC can't be passed through a NAT.

That totally depends on what the endpoint is, and what the IPSEC client
supports. Nortel and Cisco (and most other commercial IPSEC device
vendors AFAIK) support this draft:

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt

NAT traversal through IKE is now a reality. The vendor's documentation
will detail what other ports must be passed, on either side, to fully
support this. ISTR that it requires an additional UDP port.

I have succesfully (and repeatedly) used Nortel VPN client on a NATed
host through a FreeBSD gateway.

--
Greg White
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"