On 7/31/07, Matthew Grooms <[EMAIL PROTECTED]> wrote: > nat on $ext proto udp from $prv_net port 500 to any -> ( $ext ) port 500 > nat on $ext proto udp from $prv_net port 4500 to any -> ( $ext ) port 4500 > > ... which acts like a VPN pass-through by forcing the source port to not > be translated. This is fine when only a single host is attempting to > communicate with a VPN gateway but could cause serious problems if you > have multiple simultaneous connection attempts.
It's worth noting that pfSense does this by default. Some IPSec concentrators also expect the udp traffic to source from port 500 and won't allow connections from arbitrary ports (Nortel Contivity is such a beast). And yes, it means we can only handle one ipsec connection to a given concentrator at a time. More than that should really use site-to-site vpn. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
