From owner-freebsd-questions@FreeBSD.ORG Fri Jun 18 14:15:31 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A127B16A4CE for ; Fri, 18 Jun 2004 14:15:31 +0000 (GMT) Received: from phoenix.gargantuan.com (rrcs-se-24-73-171-238.biz.rr.com [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id D057343D55 for ; Fri, 18 Jun 2004 14:15:30 +0000 (GMT) (envelope-from freebsd-questions@gargantuan.com) Received: from localhost (localhost.gargantuan.com [127.0.0.1]) by spamassassin-injector (Postfix) with SMTP id DE9F2167; Fri, 18 Jun 2004 10:15:29 -0400 (EDT) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 6F1B374C; Fri, 18 Jun 2004 10:14:52 -0400 (EDT) Date: Fri, 18 Jun 2004 10:14:52 -0400 From: "Michael W. Oliver" To: Jim Freeze Message-ID: <20040618141452.GC16261@gargantuan.com> Mail-Followup-To: Jim Freeze , FreeBSD Questions References: <20040618051102.GA692@freeze.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20040618051102.GA692@freeze.org> X-WWW-Site: http://michael.gargantuan.com X-PGP-Public-Key: $X-WWW-Site/gnupg/pubkey.asc X-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Home-Address0: 8008 Apache Lane X-Home-Address1: Lakeland, FL X-Home-Address2: 33810-2172 X-Home-Address3: United States of America X-Good-Question-Guide: http://www.catb.org/~esr/faqs/smart-questions.html X-Netiquette-Guidelines: http://www.ietf.org/rfc/rfc1855.txt User-Agent: Mutt/1.5.6i X-Spam-DCC: : X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on phoenix.gargantuan.com X-Spam-Level: X-Spam-Status: No, hits=-3.2 required=5.0 tests=BAYES_00,NO_DNS_FOR_FROM autolearn=no version=2.63 cc: FreeBSD Questions Subject: Re: natd firewall settings for vpn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 14:15:31 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004-06-18T00:11:03-0500, Jim Freeze wrote: > Hi >=20 > I am trying to configure my firewall to allow packets through > for a VPN connection. I am running FBSD 5.2 as my router and am trying > to connect my laptop from behind the router to our work computer. >=20 > The laptop is running OSX 10.3.4 with a Nortel Networks client > made by Apani. >=20 > The VPN connection works when the laptop is connected directly > to my DSL modem or when behind the gateway when I set the=20 > firewall type to 'open'. > > Support at Apani says that I need to open port 500 and=20 > allow protocols 50 and 51 (whatever that means). Protocol 50 is ESP, or encapsulating security payload Protocol 51 is AH, or authentication header The trick here with NAT is that AH will build a checksum of the IP header, which includes the private IP address of your laptop. Since NAT changes this IP address, the destination will dump the packet since the AH checksum will fail. When the laptop is behind the gateway, are you using private addresses on the LAN while running NATD with the 'open' rule set? If yes, then you aren't using AH, but only ESP. > I found the firewall settings below from the archive and have > implemented them before the divert statement (after also) > but with no luck. > =20 > # Allow IPSec clients to run behind firewall > # --- ISAKMP - allow key exchange over UDP 500 > ${fwcmd} add pass udp from ${inet}:${imask} to any 500 in recv ${iif} > ${fwcmd} add pass udp from ${oip} to any 500 out xmit ${oif} > ${fwcmd} add pass udp from any 500 to ${inet}:${imask} in recv ${oif} > ${fwcmd} add pass udp from any 500 to ${inet}:${imask} out xmit ${iif} > # --- ESP - allow protocol 50 (ESP) for everyone ;-) > ${fwcmd} add pass esp from any to any > =20 > Does anyone have a firewall with a working nortel client behind it. > I would greatly appreciate any help. Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD firewall/router, which runs IPFW2 with NATD. The rules that you have above look ok. Have you tried setting up a static NAT translation in /etc/natd.conf for inbound UDP/500? Something like... redirect_port udp 192.168.1.1:500 500 where 192.168.1.1 is the IP addr of your laptop. Also, here are the relevant rules from my rc.firewall: ${fwcmd} add 5000 divert natd all from any to any via ${wan_if} # ${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if} ${fwcmd} add queue 80 esp from any to any out xmit ${wan_if} ${fwcmd} add queue 50 esp from any to any in recv ${lan_if} ${fwcmd} add queue 60 esp from any to any out xmit ${lan_if} # ${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any dst-port= 500 in recv ${lan_if} ${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit ${wan= _if} ${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port 500 i= n recv ${wan_if} ${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port 500 o= ut xmit ${lan_if} *NOTE* that the ESP and ISAKMP rules come AFTER the divert rule. --=20 Mike perl -e 'print unpack("u","88V]N=3D&%C=3D\"!I;F9O(&EN(&AE861E