On Mon, Apr 23, 2007 at 07:11:05PM +0200, Daniel Hartmeier wrote:
On Mon, Apr 23, 2007 at 11:58:19PM +0800, John Mok wrote:
I am new to PF, and I would like to build a firewall + NAT using PF
on OpenBSD or FreeBSD. However, I hope someone to tell me if NAT-T
support is available in PF, such that the IPSec client connections
passing through the NAT box to Internet IPSec gateway will not
break.
NAT-T, as defined by RFC3947 [1], is not something a firewall has to
support, but something the IKE (IPSec client) can support.
It means that the IPSec peers will notice that there is a NAT device
in their path and will collaborate to traverse it, by encapsulating
their packets in UDP.
OpenBSD's isakmpd(8) supports this, and pf will work fine with it. The
question is whether another third-party IKE supports it and is
compatible. But there is nothing pf can do if it doesn't or isn't ;)
Daniel
[1] http://www.faqs.org/rfcs/rfc3947.html
I've had to add the following rule to make my users happy:
pass in on $lan_if inet proto { ah gre esp } from lan_clients to
!bad_destinations keep state
Otherwise some of them reported that they couldn't establish VPN
connections using the Cisco VPN client (for Windows). OpenVPN had no
problems as it immediately used UDP-encapsulation. Needless to say, I'm
not really satisfied with this voodoo solution, and comments are more
than welcome. Sorry if this breaks away from the original subject.
Martin
signature.asc
Description: Digital signature