VPN access through pf firewall

T

triumdh

I have FreeBSD 8.0-RELEASE-p2 gateway router with pf firewall.
Users on the internal network cannot connect to VPN servers on the outside.
I understand the problem, and have read extensively but cannot find a solution.
port 500 static mapping would only allow 1 user which doesn't help.
Any help would be appreciated.
 
Assuming you are talking about using ipsec, I believe you will need to allow the isakmp port and all esp proto traffic.

Something like:
Code: 
pass in on $int proto udp from any to any port = isakmp keep state
pass in on $int proto esp from any to any keep state
 
Thank you for your reply.

Currently, all traffic is allowed on all interfaces.
I did find one article that said I should apply the following to the Kernel.

Code: 
device crypto # IPsec depends on this
options IPSEC
options IPSEC_DEBUG
options IPSEC_NAT_T

but I receive a syntax error for the last line.
 
If you are doing pass through for IPSEC clients, you shouldn't need IPSEC in your kernel. Reading it some more, IPSEC doesn't play well with NAT without some additional configuration on the server side (ie remote end of the tunnel). You may want to contact the remote administrator and ask if the configuration is setup to allow NAT traversal.
 
Solved

Thank you for your reply,

After adding the following to the Kernel

Code: 
device crypto # IPsec depends on this
options IPSEC
options IPSEC_DEBUG

multiple VPN clients are connecting to their corporate network. IPSEC has Nat-T built in.
 
You must log in or register to reply here.
Back
Top