[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT and VPN on OpenBSD

To: misc@openbsd.org
Subject: NAT and VPN on OpenBSD
From: Lin Hwang <linyhwang@yahoo.com>
Date: Thu, 1 Nov 2001 19:35:15 -0800 (PST)
Cc: AmyLimWeaver@yahoo.com

The OS is OpenBSD-current, and the Firewall/NAT
software is the PF bundled in the OS.  I have a
problem running the FTP-proxy along with several VPNs.
 Specifically, I am having trouble making active FTP
work in this configuration.  What I want to
accomplish:

   o NAT all non-VPN outgoing traffic on the public
port
   o Leave the VPN traffic untouched, i.e. NATing is
not needed, because it is going to go through the VPN
tunnel.

This means that FTP traffic should only be redirected
after SPD (Security Policy Database) lookup has
failed.

The problems I am having are:

  o When FTP traffic comes in from the private port,
rules need to be setup to redirect FTP (non-VPN)
traffic to FTP proxy.  But at this point one cannot
tell if this is VPN or non-VPN traffic as SPD lookup
happens only after FTP-proxy.

  o Our setup includes lots of VPNs and VPNs can come
and go (as people log in and out).  Dynamically
updating the rdr rules to exclude what will later be
identified as VPN traffic is tedious and error prone,
and duplicates the information in the SPD.  In short,
our NAT setup has to be VPN-aware, which is not ideal.
Any alternatives?
 
The questions I have are:

  o Has any one run into this problem?  i.e. NAT and
VPN coexist?  Any solutions?
  o Am I missing something?
  o Any work-around or patches?  
  o Any taker on the problem?  :)


This worked fine with OpenBSD 2.9 and IPF using the
in-kernel ftp proxy.

Thanks in advance,
Lin
Find a job, post your resume.
http://careers.yahoo.com

Prev by Date: portmapper (Venema style)
Next by Date: Secure File Sharing between OpenBSD and Windoze
Prev by thread: Re: portmapper (Venema style)
Next by thread: Secure File Sharing between OpenBSD and Windoze
Index(es):
- Date
- Thread