I have a problem and it looks like this problem was discussed last
year sometime. I don't know if anything has changed since then so
I'll going to bring it up again.
The problem is with running a VPN client from behind a NAT'd firewall
to a VPN gateway across the Internet. The exact situation that I have
is I would like to use a Cisco Secure VPN client from behind a FreeBSD
firewall to tunnel through to our Cisco PIX firewall at work. The real
problem is that NAT and IP-Sec don't play nicely together. This has
been noted a number of times but I have also found some recent
references to an IP-Sec proxy agent in the ipfilter/ipnat code so
things may have changed whilst I have been away writing code.
I have a pretty bogus solution that has been working for a little
while now but it only works for one VPN client at a time... Currently
I am redirecting traffic on UDP port 500 to a specific host in
/etc/ipnat.rules. This gets around the problem of NAT mucking with
the IP headers and works pretty well. Recently I picked up a new
laptop and would like to VPN from it as well as my workstation. This
introduced a few new problems... the first is that my redirect solution
only works for a single internal IP address. The second is that I have
the laptop set up to DHCP so its address can change.
Currently my firewall is an older OpenBSD box that does not support
the IP-Sec proxy that I mentioned above. I was thinking about moving
the firewall to my FreeBSD box and trying the IP-Sec proxy out. The
FreeBSD box is a 4.7R box and is running on much more capable hardware
than my current OpenBSD firewall.
The other question I have is what has to be done to use ipfilter and
ipnat with FreeBSD? The last time that I set up a firewall under FreeBSD
was in the ipfw days so I am a little behind the times. I saw some notes
in /usr/src/contrib/ipfilter that implied that you had to compile
ipfilter, run the kinstall script, and then build the kernel. This didn't
work for me whenever I tried it last night. There was a problem with
the patch updates in kinstall but I'll look into this later. What I
need to know is "is the ipfilter prebuild necessary?" and "what kernel
options have to be enabled to use ipf/ipnat?"
Hopefully the IP-Sec proxying will help solve my headaches....