FreeBSD Firewall + NAT Traversal + IPsec

Tom Skeren tms3 at fsklaw.com
Thu Apr 7 10:44:50 PDT 2005 

John Mok wrote:

> Dear Tom,
>
> Thank you for your quick reply.
>
> I would like to know more on the issue. To my understanding, since the 
> source address of the IP packet from the client would be modified on 
> the NAT, normally it would fail AH check on the IPsec VPN gateway, or 
> the FreeBSD NAT has built-in compliance with RFC3947?

Yeah, that's correct, and I don't think traversal is supported in FBSD.  
However, you might be able to use ipsec and racoon to tunnel the NAT to 
the vpn.  I don't know what device is at the other end of the tunnel.  I 
have a 7 office wan tunneled with FreeBSD gateways.  Works real spiffy.  
You might look into that option.

>
> Thank you,   John Mok
>
>
> Tom Skeren wrote:
>
>> John Mok wrote:
>>
>>> Hi,
>>>
>>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall 
>>> + NAT, such that client PC(s) from the NATed internal network could 
>>> connect to a VPN gateway on the Internet :-
>>>
>>>  client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN 
>>> gateway
>>> 192.168.x.x/16                                              (e.g. 
>>> Checkpoint FW-1)
>>> (VPN client)
>>>
>>> I hope someone could help to advise what software is required on the 
>>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)?
>>
>>
>>
>> Should be no problem.
>>
>> <http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html> 
>>
>>
>>>
>>> Thanks a lot.
>>>
>>> John Mok
>>>
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list