NAT-T support in FreeBSD + PF
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Tue Apr 24 15:12:17 UTC 2007
On Tue, Apr 24, 2007 at 08:43:29PM +0800, John Mok wrote:
> Hi,
Hi.
> I would like to build a NAT firewall box using FreeBSD + PF at work.
> However, I hope someone could advise if PF could support NAT-T, such
> that the IPSec client connections (e.g. a visitor notebook with IPSec
> client) inside the company Intranet could successfully connect passing
> through the NAT box to the Internet IPSec gateway (e.g. the home network
> of a visitor) .
Your PF will "just" see two UDP pseudo-sessions (one on dport 500 for
the beggining of the negociation, one on dport 4500 for all the
remaining negociations and for all traffic), so there is no need for
specific NAT-T support, you just need to allow outgoing UDP traffic to
port 500/4500, and incoming replies.
That was the main goal of NAT-T: routers/NAT devices on the way just
have to work as usual....
Yvan.
--
NETASQ
http://www.netasq.com
More information about the freebsd-pf
mailing list