Re: [pfSense Support] Issue with VPN clients behind pfsense

Wed, 01 Aug 2007 21:01:08 -0700 

Matthew Grooms wrote:

Bill Marquette wrote:



Or corporations that refuse to enable NAT-T on their IPSec 
concentrators.





Which should be the exception to the rule. But as I stated before, 
thats just my opinion based on my own experience supporting these 
platforms.




There are some limitations we have.  pf/FreeBSD doesn't have an IPSec
aware "fixup" if you will, so we have no way of knowing which session
a reply packet is destined for.  This means, for backwards (no
surprises) support, we can only handle one ipsec passthrough
connection.




Yes, I am familiar with the fixup logic and am glad that pf doesn't 
support it. It sounds like this has already been hashed out on the 
list and I am a late comer to the discussion. If it helps more pfsense 
users than it hurts, then its obviously the correct default.




The NAT-T support (or lack thereof) in FreeBSD, has nothing to do with
it performing as the NAT box.  From what I understand, it's for server
side NAT-T (and maybe client?) support.  Even if it was there, in
kernel, today, it wouldn't solve the issue being discussed.



I never said it did. My points were ...

1) It is a published very widely used standard
2) All major commercial vendors support it
3) All major open source OS's support it except FreeBSD



Or, he could just turn on Advanced Outbound NAT, and remove the the
autogenerated IPSec rules (I think we only autogenerate udp 500).  If
his concentrator supports NAT-T, that's all he needs to do.




Alright, so you have to enable AOT before modifying auto-generated nat 
rules. I don't doubt that you know your way around pfsense better than 
I do.



Yeah, as it says in the GUI, "*Automatic outbound NAT rule generation 
(IPSEC passthrough)" or *"*Manual Outbound NAT rule generation (Advanced 
Outbound NAT (AON))".



*



If pfsense only auto-generates the rule for ISAKMP traffic to be 
sourced from port 500, then that should be fine. 



That's what it does. Also 5060 for SIP, since it seems a bunch of SIP 
implementations are broken without that, but only 500 and 5060.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to