FreeBSD Firewall + NAT Traversal + IPsec
Vince Hoffman
jhary at unsane.co.uk
Sat Apr 9 09:59:28 PDT 2005
On Sat, 9 Apr 2005, John Mok wrote:
>
> To my understanding, the mechanism of how NAT works is that, the client
> connections from the intranet are mapped to separate ports on the NAT with
> one single IP address by means of a mapping table, such that the reply packet
> from the outside to the NAT could be reversely mapped to the respective
> client connections. If there are more than one VPN clients being NATed to the
> VPN gateway, and all client isakmp connections to port 500 are mapped to port
> 500 on the external interface of the NAT, then how the NAT could reversely
> mapped the isakmp replies to the clients unambigously?
>
Sorry the one Caveat i forgot is that I can only have one VPN session at a
time, If you are likely to have multiple users using the vpn at one
time then it wont work. if you have multiple VPN users accessing the same
checkpoint then have a look at making a lan to lan tunnel, see:
http://www.freebsd.org/doc/en/articles/checkpoint/
its a little old and you need to do some config on the checkpoint, but its
a good starting point.
Vince
> John Mok
>
>
> Vince wrote:
>
>> I do this with the cisco VPN client (to PIX), I am firewalling with pf.
>> Client --- FreeBSD firewall+NAT using pf --- internet - PIX
>>
>> The only problem I had was that isakmp needs to come from port 500 as well
>> as go to port 500 so I needed to add a rule To stop pf changing the source
>> port. My nat rules are: nat on $ext_if inet proto { tcp, udp } from
>> $int_net port = 500 \ to any -> ($ext_if:0) port 500
>> nat on $ext_if from $int_net to any -> $ext_addr1
>>
>> Havent tried checkpoint though.
>>
>> Vince
>>
>>
>>
>>> -----Original Message-----
>>> From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org]
>>> On Behalf Of John Mok
>>> Sent: 07 April 2005 17:15
>>> To: freebsd-net at freebsd.org
>>> Subject: FreeBSD Firewall + NAT Traversal + IPsec
>>>
>>> Hi,
>>>
>>> I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall + NAT,
>>> such that client PC(s) from the NATed internal network could connect to a
>>> VPN gateway on the Internet :-
>>>
>>> client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN
>>> gateway
>>> 192.168.x.x/16 (e.g.
>>> Checkpoint FW-1)
>>> (VPN client)
>>>
>>> I hope someone could help to advise what software is required on the
>>> FreeBSD box to NAT traversal work and where to get the HOWTO(s)?
>>>
>>> Thanks a lot.
>>>
>>> John Mok
>>>
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>
>
More information about the freebsd-net
mailing list