how to configure a FreeBSD firewall to pass IPSec?
Greg White
gregw-freebsd-security at greg.cex.ca
Wed Apr 30 12:34:39 PDT 2003
On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote:
> Guy Middleton <guy at obstruction.com> writes:
>
> > I have a FreeBSD box acting as a firewall and NAT gateway
> >
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> >
> > Is there a way to do this? I can't find any hints in the man pages.
>
> It's impossible. IPSEC can't be passed through a NAT.
That totally depends on what the endpoint is, and what the IPSEC client
supports. Nortel and Cisco (and most other commercial IPSEC device
vendors AFAIK) support this draft:
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt
NAT traversal through IKE is now a reality. The vendor's documentation
will detail what other ports must be passed, on either side, to fully
support this. ISTR that it requires an additional UDP port.
I have succesfully (and repeatedly) used Nortel VPN client on a NATed
host through a FreeBSD gateway.
--
Greg White
More information about the freebsd-security
mailing list