[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ipsec : client -> pf/nat -> server



Look at the bridge LINK2 mode > gif > nat... for IPsec translation - at
least a place to start - look also at ipsecadm + isakmpd
no clue if it works, that cicso thing could be a problem, but it looks like
what you want - I don't think PF does IPsec on its own.
I could be wrong, PF is moving so fast and I focus so slowly.. =)
-----Original Message-----
From: loo [mailto:71@becile.com]
Sent: Monday, April 14, 2003 1:29 PM
To: pf@benzedrine.cx
Subject: ipsec : client -> pf/nat -> server
Hi,
I have to make a vpn between our lan and another peer. The picture is :
<------------ Our LAN ------------->           <--- Other peer ----->
cisco VPN client ------> OpenBSD 3.2-->inet--->Cisco router--->Server
3.6.3 (B)                PF + NAT               VPN GW
The all should be donne in ESP tunnel mode.
Someone pointed out http://www.cryptonomicon.org/notes/vpn_nat.html in this 
list, which talks about IPSEC+NAT, but it seems down now.
My questions are :
1. Is there any options in PF (3.2 or 3.3) that makes nat possible (binat?)
2. AFAIK, PF can examine only the IP header, not ESP payload in this cas. So
it will be easy to spoof, and any bad boy can send any facked esp packets to
our LAN. Right ?
3. The goal is, for the peer, that only identified client (they dont trust
my 
OpenBSD gateway:-< ) can connect to the server, and for me, only trafic 
related between this client and the server can passe. Any alternatif ?
Thanks.