PF firewall NAT and Windows IPSEC tunnel

Nerius Landys nlandys at
Sun Feb 10 05:05:20 UTC 2008

Howdy folks.  I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) .  One of those computers is a Windows
machine which is using software called "Cisco Systems VPN Client" to connect
to some other computers outside of our internal network.  Our connection to
the outside world is DHCP via cable modem.  I can connect the Windows
machine directly to the cable modem, bypassing the FreeBSD router entirely;
the VPN works fine in this case.  However, when I try going through the
FreeBSD router I get dropped VPN connections after four to eight minutes;
the VPN works fine only when it first connects and for five minutes

  Secure VPN Connection terminated locally by the client.
  Reason 412: The remote peer is no longer responding.

We contacted the administrator on the other side and he said to do the

  The following ports should be allowed through the local firewall:
  UDP port 500, port 10000
  ESP all ports
  AH all ports

My original /etc/pf.conf:

  nat on $ext_if from $internal_net to any -> ($ext_if)

and I added these three lines (the Windows machine is

  rdr on $ext_if proto udp from any to ($ext_if) port {500,10000} ->
  rdr on $ext_if proto esp from any to ($ext_if) ->
  rdr on $ext_if proto ah from any to ($ext_if) ->

But the VPN connections still get dropped after five minutes.  Any ideas?

I'm also running a bridge between several network interfaces.
My /etc/sysctl.conf looks like this:,em1,fxp1,fxp2,fxp3

The interesting lines from /etc/rc.conf are:

  ifconfig_fxp3="inet netmask"

More information about the freebsd-questions mailing list