NAT here refers to port address translation - a spesial case on NAT in which only one public IP address is used to hide all the private addresses. In some NAT implementations, this is called as "masquerading" or "overloading".
Is is assumed that the reader understands the basic consepts of IPSec, such as IKE, ESP and AH and is capable of configuring firewall with FreeBSD.
There are some other projects which are trying to overcome this limitation. Linux VPN Masquerade project has support of multiple IPSec/PPTP clients behind a NAT router. IETF standard solution for IPSec over NAT is called a NAT traversal. At least one commercial product, called SSH NAT Traversal Toolkit is capable of this. If you REALLY need to use multiple client/gateways, you should look at these alternatives.
OK, here are the guidelines for different versions of FreeBSD.
In FreeBSD-4.2 and later, all the necessary software are already in place. All you have to do is to start the daemon with the following parameters:
# redirect ESP traffic to 192.168.1.1 redirect_proto 50 192.168.1.1 # redirect IKE traffic to host 192.168.1.1 redirect_port udp 192.168.1.1:isakmp isakmp
This is somewhat difficult as operating system doesn't provide all the features "out-of-the-box". You can do it the easy way: crab the sources of the FreeBSD-4.2 natd and libalias, compile and install them and configure as above.
Or, you can do it the hard way: install my patches, compile as usual and configure natd with the following parameters:
# redirect ESP traffic to 192.168.1.1 espalias 192.168.1.1 # redirect IKE traffic to host 192.168.1.1 redirect_port udp 192.168.1.1:isakmp isakmp
However, here's some guidelines if you want to play with your firewall:
# Divert incoming IKE traffic from 10.10.10.1: $fwcmd add divert natd udp from 10.10.10.1 to $firewall 500 $fwcmd add pass udp from 10.10.10.1 to $ipsec_gw 500 # Divert incoming ESP traffic: $fwcmd add divert natd 50 from 10.10.10.1 to $firewall $fwcmd add pass 50 from 10.10.10.1 to $ipsec_gw
fwcmd above is the path to your ipfw-command, firewall
is the NAT machine and ipsec_gw is the IPSec client/gateway.
10.10.10.1 is the other end of the IPSec tunnel.
THE AUTHOR IS NOT RESPONSIBLE OF ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.