Here's my $0.02's worth...
I have used the Nortel Contivity Extranet Switch and the
client software through NAT. The IPsec connection was ESP.
The thing is the NAT was 1:1 mapping of addresses (done by
a Cisco router). So you can NAT the ESP IPsec connection.
There is one thing to note here. The NAT is 1:1. That is
there is no magic N:1 NAT mapping using source/destination
IP addresses and ports to distinguish between NAT mappings.
Sorry, but I have no OpenBSD solution for you though.
> It's not the answer you're looking for, but I think the answer is
> that you can't.
> My understanding is that IPSec and NAT are not compatable.
> Period. (I think Nortel has a router/firewall that will do this,
> but I didn't want to go there.)
> If you play around with the keywords you should be able to find
> more specific info with a Deja search. I wasted more time on this
> than I really care to say. If I'm wrong and there IS a reliable
> way to do this with an OpenBSD firewall I would *really* like to
> hear about it.
> > I'm still searching for an answer for OpenBSD's support or non-support
> > for NAT on ESP-based IPSec. The silence is eerie. :-) I've found
> > happines in implementing a Linux-based firewall solution, however, I'd
> > have much preferred to take advantage of OpenBSD's superior security.
> > :-\
> > The best explanations of the challenges and solutions to doing NAT
> > with IPSec traffic is here in the Linux VPN how-to. Especially
> > germane to the Nortel client (which uses IPsec ESP) are sections 2.2,
> > and 2.10 where it describes that kernel mods are necessary to support
> > NAT on protocols other than tcp, udp, and icmp (such as ESP and GRE):
> > ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquera...
> > Best Regards,
> > Todd
> > > Has anyone succesfully configured an OpenBSD NAT/firewall to allow an
> > > IPSec-based VPN client on the LAN side to pass through NAT and connect
> > > to the remote server successfully?
> > > I'm attempting to use Nortel Extranet Acccess Client to connect to a
> > > remote VPN server at my employer via cable modem--but I've been
> > > unsuccessful thus far. I'm not sure of the hardware on my employer's
> > > end, but the client-side software is Nortel Extranet Access Client
> > > (V02_62.33 Sep 8 2000).
> > > All other NAT seems to work fine. I've added "log" directives to all
> > > my ipf rules and even disabled them all and find no indication that
> > > the IPSec traffic is even being forwarded. I've tried enabling ESP in
> > > /etc/sysctrl.conf to no avail.
> > > Based on a lot of net.digging of the ng's, it appears thus far that
> > > OpenBSD's ipnat is not capable of dealing with the IPSec correctly.
> > > What confuses me is that the inexpensive Linksys cable-modem router
> > > (BEFSR41) can handle this--they've recently released a BIOS update
> > > that touts "IPSec passthru now supported" which coworkers have used
> > > successfully. I understand that there's been a Linux patch for this
> > > as well, and even the CoyoteLinux router supports this arrangement.
> > > Is there an equivalent patch for OpenBSD that allows ipnat to
> > > appropriately handle ESP (port 50) translation that's evidently needed
> > > for this to work?
> > > +----------+
> > > |Win2k box | +----------------+ +-----------+
> > > |Nortel | +----------------+ +-----------+
> > > |Extranet |
> > > |Client |
> > > +----------+
> > > I've been scouring the 'net trying to find a fix to no avail. I'm
> > > having religious difficutly thinking that there is something a Linksys
> > > BEFSR41 router ($160) can do that OpenBSD can't!
> > > Thank you in advance for any assistance or advice.
> > > Best Regards,
> > > Todd
> Sorry for the SPAM block -
> My real address is Cindy at Ballreich dot net
Brian Miller Telstra - Global IP Networks