Netscreen VPN NAT

Solaris 10
Ipfilter 4.1.5 (plus patches making it 4.1.6ish).

No ipf.conf rules, standard NAT only rules:


map e1000g0 192.168.0.0/16 -> extint/32 proxy port ftp ftp/tcp
map e1000g0 192.168.0.0/16 -> extint/32 portmap tcp/udp auto
map e1000g0 192.168.0.0/16 -> extint/32



For some reason the "network team" decided that they want to VPN from 192.168/16
to a Netscreen in the other datacenter.

They find that the first session works well, but not the second etc. My initial
guess is that the first session gets port 500, and the following do not.

Checking the FAQ, and this list, it would appear I should add:

#map extint from rfc1918/24 port=500 to vpnip/32 -> publicip/32
#map extint rfc1918/24 -> publicip/32 proxy port 500 ipsec/udp

At the top of ipnat.conf, in that other.

However, when I add these two lines, the other (non-VPN) NAT'ing grinds to a
halt. Sort of works, but like surfing through molasses.

Has there been any bug fixes with the VPN proxy code recently that could account
for the NAT'ing being affected by just adding these rules? We haven't actually
got to trying if the VPN's will work, since it creates havoc whenever I add the
rules.

(Removing rules, and ipnat -CF get it back again).

The Changelog on the ipfilter webpage only talks about v3 series.

Lund

--
Jorgen Lundman | <lundman@lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)