Date: Fri, 18 Jun 2004 10:14:52 -0400 From: "Michael W. Oliver" <freebsd-questions@gargantuan.com> To: Jim Freeze <jim@freeze.org> Cc: FreeBSD Questions <FreeBSD-questions@FreeBSD.org> Subject: Re: natd firewall settings for vpn Message-ID: <20040618141452.GC16261@gargantuan.com> In-Reply-To: <20040618051102.GA692@freeze.org> References: <20040618051102.GA692@freeze.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004-06-18T00:11:03-0500, Jim Freeze wrote:
> Hi
>=20
> I am trying to configure my firewall to allow packets through
> for a VPN connection. I am running FBSD 5.2 as my router and am trying
> to connect my laptop from behind the router to our work computer.
>=20
> The laptop is running OSX 10.3.4 with a Nortel Networks client
> made by Apani.
>=20
> The VPN connection works when the laptop is connected directly
> to my DSL modem or when behind the gateway when I set the=20
> firewall type to 'open'.
>
> Support at Apani says that I need to open port 500 and=20
> allow protocols 50 and 51 (whatever that means).
Protocol 50 is ESP, or encapsulating security payload
Protocol 51 is AH, or authentication header
The trick here with NAT is that AH will build a checksum of the IP
header, which includes the private IP address of your laptop. Since NAT
changes this IP address, the destination will dump the packet since the
AH checksum will fail.
When the laptop is behind the gateway, are you using private addresses
on the LAN while running NATD with the 'open' rule set? If yes, then
you aren't using AH, but only ESP.
> I found the firewall settings below from the archive and have
> implemented them before the divert statement (after also)
> but with no luck.
> =20
> # Allow IPSec clients to run behind firewall
> # --- ISAKMP - allow key exchange over UDP 500
> ${fwcmd} add pass udp from ${inet}:${imask} to any 500 in recv ${iif}
> ${fwcmd} add pass udp from ${oip} to any 500 out xmit ${oif}
> ${fwcmd} add pass udp from any 500 to ${inet}:${imask} in recv ${oif}
> ${fwcmd} add pass udp from any 500 to ${inet}:${imask} out xmit ${iif}
> # --- ESP - allow protocol 50 (ESP) for everyone ;-)
> ${fwcmd} add pass esp from any to any
> =20
> Does anyone have a firewall with a working nortel client behind it.
> I would greatly appreciate any help.
Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD
firewall/router, which runs IPFW2 with NATD. The rules that you have
above look ok. Have you tried setting up a static NAT translation in
/etc/natd.conf for inbound UDP/500? Something like...
redirect_port udp 192.168.1.1:500 500
where 192.168.1.1 is the IP addr of your laptop. Also, here are the
relevant rules from my rc.firewall:
${fwcmd} add 5000 divert natd all from any to any via ${wan_if}
#
${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if}
${fwcmd} add queue 80 esp from any to any out xmit ${wan_if}
${fwcmd} add queue 50 esp from any to any in recv ${lan_if}
${fwcmd} add queue 60 esp from any to any out xmit ${lan_if}
#
${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any dst-port=
500 in recv ${lan_if}
${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit ${wan=
_if}
${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port 500 i=
n recv ${wan_if}
${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port 500 o=
ut xmit ${lan_if}
*NOTE* that the ESP and ISAKMP rules come AFTER the divert rule.
--=20
Mike
perl -e 'print unpack("u","88V]N=3D&%C=3D\"!I;F9O(&EN(&AE861E<G,*");'
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFA0vjcsWv7q8X6o8kRAke2AJ4psn+sujggqgmeAhUlbobVwn8ZTwCeJQLS
0AS1zU1su7JuXG3rJL4paPM=
=6EJA
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040618141452.GC16261>