[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec : client -> pf/nat -> server



Hi,
loo <71@becile.com> wrote :
> I have to make a vpn between our lan and another peer. The picture is :
> 
> <------------ Our LAN ------------->           <--- Other peer ----->
> cisco VPN client ------> OpenBSD 3.2-->inet--->Cisco router--->Server
> 3.6.3 (B)                PF + NAT               VPN GW
> 
> The all should be donne in ESP tunnel mode.
> 
> Someone pointed out http://www.cryptonomicon.org/notes/vpn_nat.html in
> this list, which talks about IPSEC+NAT, but it seems down now.
This document is relative to IPSEC+NAT with PF in ESP transport mode.
 
> My questions are :
> 
> 1. Is there any options in PF (3.2 or 3.3) that makes nat possible
> (binat?)
With this configuration, your client and your VPN gateway must use IPSEC
NAT-Traversal (ESP encpasulation in UDP) :
See IETF drafts for details :
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt
A++ Foxy.
-- 
Laurent Cheylus <foxy@free.fr> OpenPGP ID 0x5B766EC2