PF firewall NAT and Windows IPSEC tunnel
Chuck Swiger
cswiger at mac.com
Thu Feb 14 19:32:55 UTC 2008
Hi--
On Feb 14, 2008, at 9:59 AM, Nerius Landys wrote:
> Howdy folks. I have several computers behind a FreeBSD router (NAT
> 192.168.0.x using OpenBSD's PF) . One of those computers is a Windows
> machine which is using software called "Cisco Systems VPN Client" to
> connect
> to some other computers outside of our internal network.
[ ... ]
> The following ports should be allowed through the local firewall:
> UDP port 500, port 10000
> ESP all ports
> AH all ports
When I was dealing with the Cisco VPN client, I was doing so with IPFW
+natd and not PF, but you need 500/udp, 4500/udp, 62515/udp, 1723/tcp,
10000/tcp, and the GRE protocol. In my case, /etc/natd.conf contained:
punch_fw 10000:100
redirect_proto gre 10.1.1.247
redirect_port udp 10.1.1.247:500 500
redirect_port udp 10.1.1.247:4500 4500
redirect_port udp 10.1.1.247:62515 62515
redirect_port tcp 10.1.1.247:10000 10000
redirect_port tcp 10.1.1.247:pptp pptp
...to send the traffic to a VPN endpoint located at IP 10.1.1.247.
--
-Chuck
More information about the freebsd-net
mailing list