I'm using the nortel extranet client through openbsd 2.9. I have a dsl
router with dhcp assigned address. The router assigns the my home
network interface an address of 10.0.0.2. I create a ipf rules set that
passes in from my corp vpn server (999.999.999.999) and permit traffic
from a static non-routeable address 192.168.1.4 (my corporate laptop) to
the 10.0.0.2 address. Then in ipnat.rules I redirect incoming traffic
to the laptop and map the laptops port 500 traffic to the dhcp assigned
address 10.0.0.2. I would guess my cisco 678 is nat'ing the vpn traffic.
pass in quick on fxp0 proto udp from 999.999.999.999 to
192.168.1.4 port = 500 keep state
block return-icmp(3) in log quick on fxp0 proto udp
from any to any port = 500
pass in quick on fxp0 proto esp from 999.999.999.999
pass out quick on fxp0 proto esp from 192.168.1.4
# rdr always at top
rdr fxp0 10.0.0.2/32 port 500 -> 192.168.1.4 port 500 udp
map fxp0 192.168.1.4/32 -> 10.0.0.2/32
> Thanks for the info. I subscribe to the "misc" OpenBSD group and did a
> "index misc" and received the following....
> #### No files available for misc.
> Any chance you have the postings somewhere in your email?
> Thanks in advance (again) :)
> - Will
>>>I am trying to allow a system on my local net (using Nortel Extranet
>>>Client) to connect through my OpenBSD Gateway (ver 2.9) to my companies
>>>Nortel VPN Switch. I have been reading a ton on esp, gre, a possible
>>>to ipf but nothing seems to work and there are no definitive howto's?
>>>Any suggestions (and please not buy a LinkSys/DLink/NetGEAR home
>>>gateway - I want to do this with my OpenBSD box and it should be possible
>>>either via proxy or passthrough?)
>>>Thanks in advance,
>>I had this set up once upon a time. The trick was to rdr port 500 from
>>the firewall to the host running the nortel vpn client. There is
>>isakmp traffic required to maintain the vpn connection which must be
>>passed through. This is done in ipnat.rules.
>>The second trick is to not remap ports for the host running vpn
>>Alas, this can only be done for one host behind your firewall.
>>For added security i set up ipf rules to only allow passage of esp &
>>port 500 packets from the company vpn gateway to the host running the
>>I had emailed by ipnat.rules and ipf.rules to the openbsd misc mailing
>>list some time ago. You could search the mailing list to find them.