Board index Freebsd

How to make an ipsec vpn connection *through* a FreeBSD 4.5 firewall

How to make an ipsec vpn connection *through* a FreeBSD 4.5 firewall

Post by SebestyĆ©n Zolt » Thu, 26 Dec 2002 03:13:48



Hi,

 My machine is behind a FreeBSD 4.5R firewall which does (of course)
NAT to the machines behind it including mine.
 Now, I would like to make a IPSEC VPN connection to a server on the
other part of the net, zet unsuccessfully. I've been told that the
problem is that the firewall currently does not translate the IP
address in the IPsec packets.
Could you please tell me how to do so?

Regards,

 
 
 
Top

How to make an ipsec vpn connection *through* a FreeBSD 4.5 firewall

Post by John Nielse » Thu, 26 Dec 2002 07:57:47



> Hi,

>  My machine is behind a FreeBSD 4.5R firewall which does (of course)
> NAT to the machines behind it including mine.
>  Now, I would like to make a IPSEC VPN connection to a server on the
> other part of the net, zet unsuccessfully. I've been told that the
> problem is that the firewall currently does not translate the IP
> address in the IPsec packets.
> Could you please tell me how to do so?

NAT and IPsec don't play nice with each other.  NAT's job is to change
packets so they reach the correct destination, and part of IPsec's job is to
ensure that packets aren't changed before they reach their destination.
AFAIK, you will need to either do IPsec on the firewall (so IPsec stuff
happens before NAT comes in to play), or find another solution.

JN

--
Remove pig-latin to reply by e-mail

 
 
 
Top

1. Win 2K VPN client thru IPSEC Masq...

Hi,

I have a Windows 2000 machine on my LAN that I'm attempting to use the Microsoft VPN client
on. The trick is that my LAN sits behind a Linux gateway using IPCHAINS to masquerade traffic
from the LAN. At first I figured no problem, I found the IPSec Masq patch by John Hardin for the
masquerade code and patched my kernel.  Still doesn't work. So I turn on kernel logging and look
at what kind of messages are being generated. I can see connection attempts by my LAN box
being masqueraded by the gateway and in turn being repied to by the VPN server I'm trying to
connect to. Then for some reason, it looks like my LAN box is trying to send ICMP packets to the
VPN server. Unfortunately, my employer filters ICMP traffic before it reaches the VPN server.

Whew! To make a really long story short.... could the fact that ICMP is being filtered somewhere
in the path to the VPN server be causing the VPN client not to work when behind the masquerade?
Because when I hook up the VPN client directly to my internet connection (DSL), ie , no masquerading,
it seems to work fine? Any clues would be appreciated.

Chris Elgart

  chris.vcf
< 1K Download

2. Lost permissions for sound card?

3. Satellite Connection - Freebsd 4.5

4. Learning system administration

5. IPSEC thru Firewall

6. Odd SCSI detection problem - NCR controller, CONNER harddrive

7. IPSEC Thru Firewall

8. dhcp client setup

9. VPN from Win98 Client thru IPCHAINS+IPMASQ firewall

10. FreeBSD 4.5 vs. FreeBSD 3.2 - Which One

11. IPSec VPN Firewall problem

12. Cisco IPSEC VPN to CheckPoint firewall and linux server concern

13. VPN Thru Linux Firewall


All times are UTC
Board index