On Sat, 9 Apr 2005, John Mok wrote:
Sorry the one Caveat i forgot is that I can only have one VPN session at a time, If you are likely to have multiple users using the vpn at one time then it wont work. if you have multiple VPN users accessing the same checkpoint then have a look at making a lan to lan tunnel, see:
To my understanding, the mechanism of how NAT works is that, the client connections from the intranet are mapped to separate ports on the NAT with one single IP address by means of a mapping table, such that the reply packet from the outside to the NAT could be reversely mapped to the respective client connections. If there are more than one VPN clients being NATed to the VPN gateway, and all client isakmp connections to port 500 are mapped to port 500 on the external interface of the NAT, then how the NAT could reversely mapped the isakmp replies to the clients unambigously?
http://www.freebsd.org/doc/en/articles/checkpoint/
its a little old and you need to do some config on the checkpoint, but its a good starting point.
Vince
John Mok
Vince wrote:
I do this with the cisco VPN client (to PIX), I am firewalling with pf. Client --- FreeBSD firewall+NAT using pf --- internet - PIX
The only problem I had was that isakmp needs to come from port 500 as well as go to port 500 so I needed to add a rule To stop pf changing the source port. My nat rules are: nat on $ext_if inet proto { tcp, udp } from $int_net port = 500 \ to any -> ($ext_if:0) port 500
nat on $ext_if from $int_net to any -> $ext_addr1
Havent tried checkpoint though.
Vince
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Mok
Sent: 07 April 2005 17:15
To: freebsd-net@freebsd.org
Subject: FreeBSD Firewall + NAT Traversal + IPsec
Hi,
I'm new to FreeBSD. Is it possible make a FreeBSD box with firewall + NAT, such that client PC(s) from the NATed internal network could connect to a VPN gateway on the Internet :-
client PC ----- FreeBSD Firewall + NAT ---- Internet ---- IPsec VPN gateway
192.168.x.x/16 (e.g. Checkpoint FW-1)
(VPN client)
I hope someone could help to advise what software is required on the FreeBSD box to NAT traversal work and where to get the HOWTO(s)?
Thanks a lot.
John Mok
_______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
