FreeBSD Firewall + NAT Traversal + IPsec

Vince Hoffman jhary at unsane.co.uk
Sat Apr 9 09:59:28 PDT 2005 


On Sat, 9 Apr 2005, John Mok wrote:

>
> To my understanding, the mechanism of how NAT works is that, the client 
> connections from the intranet are mapped to separate ports on the NAT with 
> one single IP address by means of a mapping table, such that the reply packet 
> from the outside to the NAT could be reversely mapped to the respective 
> client connections. If there are more than one VPN clients being NATed to the 
> VPN gateway, and all client isakmp connections to port 500 are mapped to port 
> 500 on the external interface of the NAT, then how the NAT could reversely 
> mapped the isakmp replies to the clients unambigously?
>
Sorry the one Caveat i forgot is that I can only have one VPN session at a 
time, If you are likely to have multiple users using the vpn at one 
time then it wont work. if you have multiple VPN users accessing the same 
checkpoint then have a look at making a lan to lan tunnel, see:
http://www.freebsd.org/doc/en/articles/checkpoint/
its a little old and you need to do some config on the checkpoint, but its 
a good starting point.


Vince

> John Mok
>
>
> Vince wrote:
>
>> I do this with the cisco VPN client (to PIX), I am firewalling with pf. 
>> Client --- FreeBSD firewall+NAT using pf --- internet - PIX
>> 
>> The only problem I had was that isakmp needs to come from port 500 as well 
>> as go to port 500 so I needed to add a rule To stop pf changing the source 
>> port. My nat rules are: nat on $ext_if inet proto { tcp, udp } from 
>> $int_net port = 500 \ 	to any -> ($ext_if:0) port 500
>> nat on $ext_if from $int_net to any -> $ext_addr1
>> 
>> Havent tried checkpoint though.
>> 
>> Vince
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org] 
>>> On Behalf Of John Mok
>>> Sent: 07 April 2005 17:15
>>> To: freebsd-net at freebsd.org
>>> Subject: FreeBSD Firewall + NAT Traversal + IPsec
>>> 
>>> Hi,
>>> 
>>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall + NAT, 
>>> such that client PC(s) from the NATed internal network could connect to a 
>>> VPN gateway on the Internet :-
>>> 
>>>  client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN 
>>> gateway
>>> 192.168.x.x/16                                              (e.g. 
>>> Checkpoint FW-1)
>>> (VPN client)
>>> 
>>> I hope someone could help to advise what software is required on the 
>>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)?
>>> 
>>> Thanks a lot.
>>> 
>>> John Mok
>>> 
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>> 
>>> 
>> 
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>> 
>> 
>

More information about the freebsd-net mailing list