Re: [m0n0wall] m0n0wall settings to allow IPSEC (without NAT)?

From:	Manuel Kasper <mk at neon1 dot net>
To:	"Michael A. Alderete" <lists dash 2003 at alderete dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] m0n0wall settings to allow IPSEC (without NAT)?
Date:	Tue, 14 Nov 2006 21:33:22 +0100

On 14.11.06 12:09 -0800, Michael A. Alderete wrote:

> It is my understanding from reading the manual and the list
> archives that m0n0wall does not support NAT-Traversal, and so you

That's true...

> cannot use VPN software through a m0n0wall box.

That's not true. m0n0wall only cannot act as an IPsec VPN endpoint
with NAT-T at this time, but that doesn't stop you from using other
VPN clients/servers that do. In fact, Cisco VPN clients work very
well behind m0n0walls (I use one myself as well) - often even without
NAT-T.

> That is, this configuration cannot be made to work:
> 
> PowerBook w/  <-->  m0n0wall  <--> (internet) <--> Central Office w/
> Cisco VPN           using                          Cisco VPN
> Client              NAT                            Server
> 192.168.1.3

This should work just fine.

> P.S. Are there any plans to do away with the lack of NAT-Traversal?
> From my reading, it sounds like it would require moving off of
> FreeBSD 4.x. But as security requirements continue to be raised, it
> seems like it's kind of important to allow people to use their work
> VPN connections. -- 

FreeBSD 6.x will bring us NAT-T support for IPsec VPN tunnels
terminated on m0n0wall itself.

- Manuel