Chris Buechler wrote:
On Thu, May 22, 2008 at 1:51 AM, John Greiner <[EMAIL PROTECTED]> wrote:
Thank you Chris for the response! Glad it wasn't just me being a dolt. I
wonder what kind of magic the Secure Computing folks were
able to conjure up that enables UDP 500 to be shared at the firewall and behind
it...
Yeah I'm not sure what they were doing. The only way that could work
with pfSense is if the local racoon could differentiate between L2TP
for another destination and IPsec destined to itself and route
accordingly, which it's not capable of doing.
Hmmm. Assuming the L2TP clients are roaming with dynamic addresses, why
not setup rules that forward IPsec related traffic from anywhere but the
static IPsec peers to the L2TP host? I'm not sure how the pfsense rules
would look but in plain pf it would look something like this ...
EXT = "your external interface name"
L2TP = "ip address of your internal L2TP host"
VPNGW1 = "static address of site to site peer #1"
VPNGW2 = "static address of site to site peer #2"
table <vpngw> const { $VPNGW1, $VPNGW2 }
rdr on $ext proto udp from !<vpngw> to $EXT port 500 -> $L2TP port 500
rdr on $ext proto udp from !<vpngw> to $EXT port 4500 -> $L2TP port 4500
rdr on $ext proto esp from !<vpngw> to $EXT -> $L2TP
-Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
