On Mon, 17 Jan 2005 18:02:47 -0600, J Moore <[EMAIL PROTECTED]> wrote: > On Mon, Jan 17, 2005 at 10:38:05PM +0100, the unit calling itself Laurent > Cheylus wrote: > > To use VPN IPsec client with a NAT gateway like yours, VPN client must > > use NAT-Traversal (ESP packets encapsulation in UDP packets on port > > 4500). And the IPsec gateway of your wife at work must also support > > NAT-Traversal. Laurent, that is not true. I have used VPN clients (isakmpd behind a NATing firewall, Windows XP ipsec, SSH Sentinel and SafeNet SoftRemote) behind OpenBSD firewalls and have never had a problem going through my OpenBSD firewall/NAT. You must pass out esp traffic.
> I have the same problem. My VPN client is Cisco VPN Client ver 4.6.00. > > I gather that pf can't pass some VPN traffic, and that getting it > through pf will require some isakmpd setup? I _did_ have problems getting the Cisco VPN client connecting through the firewall, but at the time, I believe it was prior to the NAT "static-port" directive. My solution in the old days to get the Cisco VPN client working through my OpenBSD firewall was to put an rdr and a pass rule redirecting port 500 udp traffic back to the VPN client. I _THINK_ that with the static-port rule, your Cisco VPN client will make connections initiated on port 500 rather than having NAT select some random high numbered port. Then, the Cisco VPN server can successfully connect back through port 500 and establish the connection. nat on $ext_if from $int_if:network to any -> ($ext_if) static-port > Thanks, > Jay -ME -- http://mike.erdelynet.com/