[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall



On Mon, Jan 17, 2005 at 10:38:05PM +0100, the unit calling itself Laurent Cheylus wrote:
> 
> > Okay.  I have a problem that I can't get my brain around and I need 
> > some help.  My wife needs to connect to her VPN at work.  I've 
> > captured packets for her connection and see that it's connecting to 
> > her work server on ports 53 (dns) and 500 (isakmp).
> [...]
> > I thought that since she was initiating the connections to port 53 and 
> > 500 that the keep state entries on the outbound tcp and udp traffic 
> > would be enough to ensure she could connect and wouldn't require me to 
> > set up NAT for these connections.  Am I wrong?  What am I missing here?
> 
> According to your pf.conf, your TCP/UDP outbond connections are nated.
> 
> To use VPN IPsec client with a NAT gateway like yours, VPN client must
> use NAT-Traversal (ESP packets encapsulation in UDP packets on port
> 4500). And the IPsec gateway of your wife at work must also support
> NAT-Traversal.
> 
> What is the IPsec client used by your wife and the IPsec gateway
> implementation used at her work ? 
> 
> SSH Sentinel and Safenet SoftRemote are commercial VPN clients that
> supports NAT-Traversal. isakmpd supports also NAT-Traversal since
> OpenBSD version 3.6 :-)
I have the same problem. My VPN client is Cisco VPN Client ver 4.6.00.
I gather that pf can't pass some VPN traffic, and that getting it 
through pf will require some isakmpd setup?
Thanks,
Jay