[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [succesful] ipsec : client -> pf/nat -> server



On Tuesday 15 April 2003 01:45, Laurent Cheylus wrote:
> With this configuration, your client and your VPN gateway must use IPSEC
> NAT-Traversal (ESP encpasulation in UDP) :
Nope, I do it this morning. Here's the related changes :
IF_VLAN="fxp2"
IP_VLAN="z.z.z.z" (Internal lan)
IP_VLANRG="x.x.x.x" (IP of peer PIX)
nat on $IF_EXT from $IP_VLAN to any -> $IP_EXT
antispoof for $IF_VLAN
block in  log on $IF_VLAN all
pass  in      on $IF_VLAN inet proto udp from $IP_VLAN to $IP_VLANRG port 500 
keep state
pass  in      on $IF_VLAN inet proto esp from $IP_VLAN to $IP_VLANRG keep 
state
pass out      on $IF_EXT  inet proto esp from any to $IP_VLANRG keep state
(Is these keep state ok here ?)
$ uname -a
OpenBSD appocalix 3.2 GENERIC#10 i386
Thank you Daniel & al, you do a GREAT job.