On Mon, Jan 17, 2005 at 10:38:05PM +0100, the unit calling itself Laurent Cheylus wrote: > > > Okay. I have a problem that I can't get my brain around and I need > > some help. My wife needs to connect to her VPN at work. I've > > captured packets for her connection and see that it's connecting to > > her work server on ports 53 (dns) and 500 (isakmp). > [...] > > I thought that since she was initiating the connections to port 53 and > > 500 that the keep state entries on the outbound tcp and udp traffic > > would be enough to ensure she could connect and wouldn't require me to > > set up NAT for these connections. Am I wrong? What am I missing here? > > According to your pf.conf, your TCP/UDP outbond connections are nated. > > To use VPN IPsec client with a NAT gateway like yours, VPN client must > use NAT-Traversal (ESP packets encapsulation in UDP packets on port > 4500). And the IPsec gateway of your wife at work must also support > NAT-Traversal. > > What is the IPsec client used by your wife and the IPsec gateway > implementation used at her work ? > > SSH Sentinel and Safenet SoftRemote are commercial VPN clients that > supports NAT-Traversal. isakmpd supports also NAT-Traversal since > OpenBSD version 3.6 :-)
I have the same problem. My VPN client is Cisco VPN Client ver 4.6.00. I gather that pf can't pass some VPN traffic, and that getting it through pf will require some isakmpd setup? Thanks, Jay
