# VPN access through pf firewall



## triumdh (Aug 18, 2010)

I have FreeBSD 8.0-RELEASE-p2 gateway router with pf firewall.
Users on the internal network cannot connect to VPN servers on the outside.
I understand the problem, and have read extensively but cannot find a solution.
port 500 static mapping would only allow 1 user which doesn't help.
Any help would be appreciated.


----------



## gordon@ (Aug 18, 2010)

Assuming you are talking about using ipsec, I believe you will need to allow the isakmp port and all esp proto traffic.

Something like:

```
pass in on $int proto udp from any to any port = isakmp keep state
pass in on $int proto esp from any to any keep state
```


----------



## triumdh (Aug 18, 2010)

Thank you for your reply.

Currently, all traffic is allowed on all interfaces.
I did find one article that said I should apply the following to the Kernel.


```
device crypto # IPsec depends on this
options IPSEC
options IPSEC_DEBUG
options IPSEC_NAT_T
```

but I receive a syntax error for the last line.


----------



## gordon@ (Aug 19, 2010)

If you are doing pass through for IPSEC clients, you shouldn't need IPSEC in your kernel. Reading it some more, IPSEC doesn't play well with NAT without some additional configuration on the server side (ie remote end of the tunnel). You may want to contact the remote administrator and ask if the configuration is setup to allow NAT traversal.


----------



## triumdh (Aug 19, 2010)

*Solved*

Thank you for your reply,

After adding the following to the Kernel


```
device crypto # IPsec depends on this
options IPSEC
options IPSEC_DEBUG
```

multiple VPN clients are connecting to their corporate network. IPSEC has Nat-T built in.


----------

