[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Masquerading IPSec connections on FreeBSD?
Hi Brian,
On Thu, 2002-09-05 at 01:42, Brian Candler wrote:
>
> Well, FreeBSD can do masquerading (NAT) and it also has reliable IPSEC
> support in the kernel. I've used both in anger.
>
> IMO the problems you are likely to come across are:
>
> 1. mixing masquerading and IPSEC on the same box; and
> 2. if you are interoperating with Windows IPSEC clients, getting key
> exchange and client authentication to work.
<snip>
Thanks for that, I will need it for yet another installation that had
baffled be :-(...
Anyhow, in this case, what I am trying to set up is a gateway/firewall
that I can use (even say on the machine which does masquerading for my
dial up clients) so that I do not need to know about the remote IPSEC
servers... but just allow tunnels to be set up by the windows (or other)
IPSEC client THROUGH my firewall/gateway and finally to whatever IPSEC
server their client communicates with. The set up of what I would want
is somewhat like this.
windows IPSEC client(By Galileo)
(private ip address) <=======
|| ||
|| ||
Un*x Gateway/Firewall ||
(clients global IP address) || tunnel is set up
|| || seamlessly between
|| || these two machines
|| || just as if the win
INTERNET || machine had a global
|| || ip address.
|| ||
Remote IPSEC server (Galileo software)<===
(Global IP address)
So, the problem I was having is that on linux, this setup would not work
for the IPSEC client - which would claim that the remote server is not
replying... (since its packets were being dropped). The question is, how
do I get FreeBSD to work as the Firewall - AND correctly pass the IPSEC
packets... unless I misunderstood your reply...
Is this possible or am I just dreaming? :-)
Patrick
--
Patrick J Okui
Systems Administrator
One2Net (U) Ltd
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org