Hi Rick, On Mon, Jan 17, 2005 at 12:06:54PM -0600, Rick Barter wrote:
> Okay. I have a problem that I can't get my brain around and I need > some help. My wife needs to connect to her VPN at work. I've > captured packets for her connection and see that it's connecting to > her work server on ports 53 (dns) and 500 (isakmp). [...] > I thought that since she was initiating the connections to port 53 and > 500 that the keep state entries on the outbound tcp and udp traffic > would be enough to ensure she could connect and wouldn't require me to > set up NAT for these connections. Am I wrong? What am I missing here? According to your pf.conf, your TCP/UDP outbond connections are nated. To use VPN IPsec client with a NAT gateway like yours, VPN client must use NAT-Traversal (ESP packets encapsulation in UDP packets on port 4500). And the IPsec gateway of your wife at work must also support NAT-Traversal. What is the IPsec client used by your wife and the IPsec gateway implementation used at her work ? SSH Sentinel and Safenet SoftRemote are commercial VPN clients that supports NAT-Traversal. isakmpd supports also NAT-Traversal since OpenBSD version 3.6 :-) A++ Foxy -- Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2