From owner-freebsd-questions@FreeBSD.ORG Fri Jun 18 13:07:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2799516A4CE for ; Fri, 18 Jun 2004 13:07:43 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19DA43D4C for ; Fri, 18 Jun 2004 13:07:42 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum1c-102.pit.adelphia.net [24.53.179.102]) by internet.potentialtech.com (Postfix) with ESMTP id 3988969A3E; Fri, 18 Jun 2004 09:07:12 -0400 (EDT) Date: Fri, 18 Jun 2004 09:07:10 -0400 From: Bill Moran To: Jim Freeze Message-Id: <20040618090710.068013f3.wmoran@potentialtech.com> In-Reply-To: <20040618051102.GA692@freeze.org> References: <20040618051102.GA692@freeze.org> Organization: Potential Technologies X-Mailer: Sylpheed version 0.9.10 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: FreeBSD-questions@FreeBSD.org Subject: Re: natd firewall settings for vpn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 13:07:43 -0000 Jim Freeze wrote: > I am trying to configure my firewall to allow packets through > for a VPN connection. I am running FBSD 5.2 as my router and am trying > to connect my laptop from behind the router to our work computer. > > The laptop is running OSX 10.3.4 with a Nortel Networks client > made by Apani. > > The VPN connection works when the laptop is connected directly > to my DSL modem or when behind the gateway when I set the > firewall type to 'open'. > > Support at Apani says that I need to open port 500 and > allow protocols 50 and 51 (whatever that means). > > I found the firewall settings below from the archive and have > implemented them before the divert statement (after also) > but with no luck. > > # Allow IPSec clients to run behind firewall > # --- ISAKMP - allow key exchange over UDP 500 > ${fwcmd} add pass udp from ${inet}:${imask} to any 500 in recv ${iif} > ${fwcmd} add pass udp from ${oip} to any 500 out xmit ${oif} > ${fwcmd} add pass udp from any 500 to ${inet}:${imask} in recv ${oif} > ${fwcmd} add pass udp from any 500 to ${inet}:${imask} out xmit ${iif} > # --- ESP - allow protocol 50 (ESP) for everyone ;-) > ${fwcmd} add pass esp from any to any > > Does anyone have a firewall with a working nortel client behind it. > I would greatly appreciate any help. Try adding a rule "add pass ah from any to any" ... that's protocol 51. (not really an expert or anything, but just happened to notice that missing) -- Bill Moran Potential Technologies http://www.potentialtech.com