> > > > > > What are you VPN Client et and VPN Server and do > you > > use IPsec for VPN ? > > > > To use IPsec with NAT, IPsec client and server > must > > use NAT-Traversal : > > - isakmp exchanges on UDP/500 > > - encapsulation of ESP in UDP port 4500 > > > > Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID > 0x5B766EC2 > > > My vpn client is MS windows VPN using pptp protocol > port 1723 udp/tcp. I don't known what is server, my > suggestion is win2000/win2003 vpn server, i have > only > account. On openBSD firewall i also have vpn account > using poptopd. Pftop show me that i use port 1723 > tcp > and 1723 udp. > I thing that NAT is problem because VPN server try > to > connect to my ext_ip, where i block all in.That's my > first filter rule.I have try and synproxy out packet > to port 1723 without success. > > any suggestions? > > Best regards > T.Ganev > >
hi again I solve problem by add this lines to my conf nat on rl0 proto tcp from 192.168.0.11 to any port 1723 -> 10.17.2.1 port 1723 nat on rl0 proto udp from 192.168.0.11 to any port 1723 -> 10.17.2.1 port 1723 rdr pass on rl0 inet proto tcp from any to 10.17.2.1 port 1723 -> 192.168.0.11 port 1723 rdr pass on rl0 inet proto tcp from any to 10.17.2.1 -> 192.168.0.11 rdr pass on rl0 inet proto udp from any to 10.17.2.1 -> 192.168.0.11 rdr pass on rl0 inet proto gre from any to 10.17.2.1 -> 192.168.0.11 pass out on $ext_if proto tcp from 10.17.2.1 to any port 1723 modulate state flags S/SA pass out on $ext_if proto udp from 10.17.2.1 to any port 1723 keep state pass in on $ext_if proto tcp from any to 10.17.2.1 port 1723 modulate state pass in on $ext_if inet proto gre from any to 10.17.2.1 synproxy state pass out on $ext_if inet proto gre from 10.17.2.1 to any keep state my ip is 192.168.0.11 10.17.2.1 is alias to my ext_if ip.VPN server also have prv ip 10.x.x.x becouse we use same ISP. But what if vpn server is somewhere in the Internet? Best regards T.Ganev ===== http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=0x300D6655&fingerprint=on Key fingerprint= 2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
