On Tue, 6 Mar 2001, Herb Singleton wrote:=20
 =20
> Has anyone had any luck forwarding IPsec packets=20
> through IP NAT?=20
 =20
> Any ideas if/how to configure IPNAT rules to allow=20
>these connections through? I am=20
> currently using Erik Winkler's ipf.conf (with a few=20
> modifications).=20

I am going to answer my own question for the
sake of the archives and newbies:

Assuming the IPsec tunnel is using esp packets (AH
packets will never work through NAT) put the following=20
line in your ipnat.conf file:

rdr sn0 0/0 port 0 -> your.internal.ip.address port 0 esp=20

This line redirects all esp packets to a specific host in
your internal network. The downside is that this only works
for a single internal address.

If your IPsec tunnel uses IKE, you may have to disable port=20
mapping and forward all traffic through port 500 to your
single host using something like:

rdr sn0 external.ip.address port 500 -> 1internal.ip.address port 500 =
udp

Note that I my setup worked without the IKE redirect line, so
I'm not positive that it would work.

Check out =
http://lists.openresources.com/FreeBSD/freebsd-net/msg02214.html=20
and
http://www.false.net/ipfilter/1999_12/0088.html for more info.

Herb
___________________________________________________________
Herb Singleton
hsingleton@mac.com
Everything in acoustics: http://www.cross-spectrum.com=