FreeBSD Firewall + NAT Traversal + IPsec
Tom Skeren
tms3 at fsklaw.com
Thu Apr 7 10:44:50 PDT 2005
John Mok wrote:
> Dear Tom,
>
> Thank you for your quick reply.
>
> I would like to know more on the issue. To my understanding, since the
> source address of the IP packet from the client would be modified on
> the NAT, normally it would fail AH check on the IPsec VPN gateway, or
> the FreeBSD NAT has built-in compliance with RFC3947?
Yeah, that's correct, and I don't think traversal is supported in FBSD.
However, you might be able to use ipsec and racoon to tunnel the NAT to
the vpn. I don't know what device is at the other end of the tunnel. I
have a 7 office wan tunneled with FreeBSD gateways. Works real spiffy.
You might look into that option.
>
> Thank you, John Mok
>
>
> Tom Skeren wrote:
>
>> John Mok wrote:
>>
>>> Hi,
>>>
>>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall
>>> + NAT, such that client PC(s) from the NATed internal network could
>>> connect to a VPN gateway on the Internet :-
>>>
>>> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN
>>> gateway
>>> 192.168.x.x/16 (e.g.
>>> Checkpoint FW-1)
>>> (VPN client)
>>>
>>> I hope someone could help to advise what software is required on the
>>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)?
>>
>>
>>
>> Should be no problem.
>>
>> <http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html>
>>
>>
>>>
>>> Thanks a lot.
>>>
>>> John Mok
>>>
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list