[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec across a NAT

To: <chris.goellner@corp.bellsouth.net>, <tech@openbsd.org>
Subject: Re: IPSec across a NAT
From: "Luke Renn" <lrenn@etci.com>
Date: Wed, 12 Jan 2000 11:53:29 -0500
References: <fbbp7s8mbclq3al8jb92j5e4qamnf0dfn7@4ax.com>

i'm not an expert, and i'm sure someone will tell me this is no good, but
this is what i do to get gre (for MS PPTP) to redirect.

Setup an external ip address specifically for ipsec in ifaliases.

then in ipnat.rules:
bimap mx0 *internalip*/32 -> *externalip*/32
rdr mx0 *externalip*/32 port 500 -> *internalip* port 500 udp
(i assume you want to use ike with ipsec)

then in ipf.rules:
block in on mx0 from any to 207.103.201.143/32 head 1
pass in on mx0 proto esp from any to 207.103.201.143/32 group 1

That works for me to redirect gre, so i don't see why it wouldn't work with
esp.

Luke


----- Original Message -----
From: Chris Goellner <chris.goellner@corp.bellsouth.net>
To: <tech@openbsd.org>
Sent: Wednesday, January 12, 2000 11:39 AM
Subject: IPSec across a NAT


>
> Is any work being done to get OpenBSD to NAT ESP IPSec connections. I can
do this via a kernal patch on Linux but I would like to be using OpenBSD
instead.
>

Follow-Ups:
- Re: IPSec across a NAT
  - From: "Luke Renn" <lrenn@etci.com>

References:
- IPSec across a NAT
  - From: Chris Goellner <chris.goellner@corp.bellsouth.net>

Prev by Date: Re: PCI card and current problem
Next by Date: Re: IPSec across a NAT
Prev by thread: IPSec across a NAT
Next by thread: Re: IPSec across a NAT
Index(es):
- Date
- Thread