how to configure a FreeBSD firewall to pass IPSec?
Matt Piechota
piechota at argolis.org
Wed Apr 30 12:51:32 PDT 2003
On Wed, 30 Apr 2003, Lowell Gilbert wrote:
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> >
> > Is there a way to do this? I can't find any hints in the man pages.
>
> It's impossible. IPSEC can't be passed through a NAT.
Actually, that's not strictly true. I've done such a thing myself, but
with a trick: I blindly forwarded any packet from the tunnel-server to the
client.
The specifics:
$WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do
tunnelling, and assign the client a dynamic address. To do the
forwarding, I set up a line like:
redirect_proto tcp clientip natgwextip vpnserverip
redirect_proto udp clientip natgwextip vpnserverip
in /etc/natd.conf (and set rc.conf to have natd look at that file). It
worked for me, although I suspect that if someone forged vpnserverip,
they could sneak packets to my client machine. The client uses nortel's
client, but watching what I could using a sniffer, it looked like a fairly
normal IPSEC connect.
Oddly enough, I was just going to ask how I'd do that forward using ipfw,
ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd
with ppp if I don't 'ppp -nat ...'?
--
Matt Piechota
More information about the freebsd-security
mailing list