Hi,

I apologize in advance if the questions I ask here are misguided or
phrased poorly. I'm not yet entirely clear on all of the technologies
involved here.

I have a NetBSD box that has been doing NAT for me for a while.
I would now like to be able to connect to a CheckPoint VPN server
using the corresponding client under Windows. The VPN server lives in
the outside world, while the client lives inside the NATed network.

I am wondering first if this is possible. I understand from reading
the NetBSD IPSec HOWTO (Interaction with ipfilter) that there had
previously been some incompatibilies between IPSec and ipf. On the
other hand, the section also seems to indicate that this was resolved
earlier in 2001 (in -current) and has been incorporated into the
releases starting with 1.5.1.

Assuming the above isn't the showstopper, I also understand from
reading the Linux VPN-Masquerade HOWTO that CheckPoint has a
proprietary protocol FWZ which makes masquerading/NAT impossible, but
that by configuring the connection to use an alternate IKE mode that
things can be made to work. Is this also true for NetBSD?

I have upgraded my NAT box to 1.5.2, and have recompiled the kernel to
include IPSec support (defining IPSEC and IPSEC_ESP). Both my ipf.conf 
and ipsec.conf are currently empty, and ipfilter, ipnat, and ipsec are 
enabled in rc.conf.

If someone could let me know if what I'd like to do is possible, and
if so, what I have to do to get thigns to work, I'd appreciate it.

tia,
d