On Mon, Apr 23, 2007 at 11:58:19PM +0800, John Mok wrote:
> I am new to PF, and I would like to build a firewall + NAT using PF on
> OpenBSD or FreeBSD. However, I hope someone to tell me if NAT-T support
> is available in PF, such that the IPSec client connections passing
> through the NAT box to Internet IPSec gateway will not break.
NAT-T, as defined by RFC3947 [1], is not something a firewall has to
support, but something the IKE ("IPSec client") can support.
It means that the IPSec peers will notice that there is a NAT device in
their path and will collaborate to traverse it, by encapsulating their
packets in UDP.
OpenBSD's isakmpd(8) supports this, and pf will work fine with it. The
question is whether another third-party IKE supports it and is
compatible. But there is nothing pf can do if it doesn't or isn't ;)
Daniel
[1] http://www.faqs.org/rfcs/rfc3947.html
