On Mon, Apr 23, 2007 at 07:11:05PM +0200, Daniel Hartmeier wrote:
> On Mon, Apr 23, 2007 at 11:58:19PM +0800, John Mok wrote:
> > I am new to PF, and I would like to build a firewall + NAT using PF
> > on OpenBSD or FreeBSD. However, I hope someone to tell me if NAT-T
> > support is available in PF, such that the IPSec client connections
> > passing through the NAT box to Internet IPSec gateway will not
> > break.
>
> NAT-T, as defined by RFC3947 [1], is not something a firewall has to
> support, but something the IKE ("IPSec client") can support.
>
> It means that the IPSec peers will notice that there is a NAT device
> in their path and will collaborate to traverse it, by encapsulating
> their packets in UDP.
>
> OpenBSD's isakmpd(8) supports this, and pf will work fine with it. The
> question is whether another third-party IKE supports it and is
> compatible. But there is nothing pf can do if it doesn't or isn't ;)
>
> Daniel
>
> [1] http://www.faqs.org/rfcs/rfc3947.html
I've had to add the following rule to make my users happy:
pass in on $lan_if inet proto { ah gre esp } from <lan_clients> to
!<bad_destinations> keep state
Otherwise some of them reported that they couldn't establish VPN
connections using the Cisco VPN client (for Windows). OpenVPN had no
problems as it immediately used UDP-encapsulation. Needless to say, I'm
not really satisfied with this "voodoo" solution, and comments are more
than welcome. Sorry if this breaks away from the original subject.
Martin
signature.asc
Description: Digital signature
