IPSec VPN & NATD (problem with alias_address vs
redirect_address)
Thomas S. Crum
tscrum at 1wisp.com
Thu Nov 13 12:23:48 PST 2003
It's my understanding that certain IPSEC does not encrypt the entire
packet, leaving the header to be mangled by nat or whatever and refused
by the IPSEC machine that you are connecting to. I believe therein your
problem lies.
Best,
Tom
-----Original Message-----
From: owner-freebsd-ipfw at freebsd.org
[mailto:owner-freebsd-ipfw at freebsd.org] On Behalf Of Vincent Goupil
Sent: Thursday, November 13, 2003 12:46 PM
To: 'freebsd-ipfw at freebsd.org'; 'freebsd-net at freebsd.org';
'freebsd-isp at freebsd.org'
Subject: IPSec VPN & NATD (problem with alias_address vs
redirect_address)
I setup a firewall with ipfw2 and natd on freebsd 4.9 release.
I have mapped my subnet with alias_address
I have mapped 4 private ip address with 4 public ip address
Everything is working fine (web, email, ftp, etc..) for outgoing and
incoming connexion for anyone on my network.
With this configuration, 5 person at a time (on my network) could dial
to
the same VPN server.
4 with different IP and the one with the alias_address. I supposed that
only one person at a time can use the alias_address with the IPSec VPN
(I
think, tell me if I'm wrong)
I have authorized AH and ESP to pass through my firewall.
Also incoming UDP 500
I'm able to use the VPN for the people mapped with alias_address.
I can't use the VPN with the people using the redirect_address.
Is there any problem with the redirect_address directive with natd for
the
protocol 51 and 51.
Is there any other way to have these 5 people at the same time to
communicate to the same vpn server ?
I though that I could use the redirect_address to do that. So the
incoming
connexion to the VPN server appear from a different IP source address.
Vincent Goupil
Administrateur réseau / Network administrator
_______________________________________________
freebsd-ipfw at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-isp
mailing list