IPIP tunnel behind NAT

Hi everyone,

I'm trying to configure a GIF IPIP tunnel from a FreeBSD box
to a Cisco 
router in order to route IPv6 blocks to a remote location.

However, I can't find good documentation to find out whether
this will 
work in behind a NAT device.

The FreeBSD box has a private IP, NAT'd 1:1. The Cisco is
across the 
'net and is in the public network.

Will this tunnel setup work? If so, how? Will I have to move
the FreeBSD 
box outside of NAT and give it a public IP?

Regards,

Steve
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"

It'll work fine. I've done this several times before.
However I've also had NAT implementations which didn't work
this way but
this one should definitely work.

Baldur

On Fri, Apr 18, 2008 at 09:25:50AM -0400, Steve Bertrand
wrote:
> Hi everyone,
> 
> I'm trying to configure a GIF IPIP tunnel from a
FreeBSD box to a Cisco 
> router in order to route IPv6 blocks to a remote
location.
> 
> However, I can't find good documentation to find out
whether this will 
> work in behind a NAT device.
> 
> The FreeBSD box has a private IP, NAT'd 1:1. The Cisco
is across the 
> 'net and is in the public network.
> 
> Will this tunnel setup work? If so, how? Will I have to
move the FreeBSD 
> box outside of NAT and give it a public IP?
> 
> Regards,
> 
> Steve
> _______________________________________________
> freebsd-netfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
> 

_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"

Baldur Gislason wrote:
> It'll work fine. I've done this several times before.

Hmmm. I still can't seem to get this setup to work. The
FreeBSD box is 
in behind a Fortigate 200 unit.

> However I've also had NAT implementations which didn't
work this way but
> this one should definitely work.

Are there any ports that need to be opened on the Fortigate
to allow the 
tunnel traffic through? There appears to be no place in the
Fortigate to 
pass protocol 41 traffic.

Thanks,

Steve
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"

You need to do do a one-to-one NAT, so protocol 94 (IPIP)
packets get forwarded.
It's not TCP or UDP, so no ports there.
Alternatively, you can set up a NAT traversing IPSEC-in-UDP
tunnel, but that requires a kernel patch.

Baldur

On Thu, Apr 24, 2008 at 08:11:34AM -0400, Steve Bertrand
wrote:
> Baldur Gislason wrote:
> >It'll work fine. I've done this several times
before.
> 
> Hmmm. I still can't seem to get this setup to work. The
FreeBSD box is 
> in behind a Fortigate 200 unit.
> 
> >However I've also had NAT implementations which
didn't work this way but
> >this one should definitely work.
> 
> Are there any ports that need to be opened on the
Fortigate to allow the 
> tunnel traffic through? There appears to be no place in
the Fortigate to 
> pass protocol 41 traffic.
> 
> Thanks,
> 
> Steve
> _______________________________________________
> freebsd-netfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
> 

_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"