Date: Sun, 21 Jan 2001 00:40:37 -0500 From: The Babbler <bts@babbleon.org> To: freebsd-ipfw@freebsd.org Subject: IPSEC tunnelling Message-ID: <3A6A7655.E428629D@babbleon.org>
next in thread | raw e-mail | index | archive | help
I realize that the official charter of this group is to work on the
*new* firewall code, and I'm working at RELEASE, which doesn't qualify,
but I have tried freebsd-questions and been met with overwhelming
silence, and this seems to me to be the closest group, so I hope you
folks will be willing to indulge me. And pointing me at the doc is more
than fine. I've tried searching the www.freebsd.org site, but didn't
find anything relavent there. Of course I can't recall any occaison
when I ever have . . .
Anyway, I'm trying to get my FreeBSD gateway/firewall machine set up so
that it will allow my wife's VPN access to work; this requires IPSEC
packets to get through.
Has anybody done this? Any helpful hints?
I turned on the IPSEC and the tunneling options in the kernel (details
below) and I'm letting "esp" and "udp" packets through (again, details
are below).
FWIW, I tried this in Linux and couldn't ever get it to work; this was a
motivation for trying FreeBSD. It's still not working, but I can at
least follow the network traffic better in FreeBSD, which at least let
me fix my rules. (The rules I used under Linux seem to have been bad.)
At this point, it *looks* from the security logs as if all related
packets are getting through, but the VPN still can't connect so I'm
missing something somewhere. I'm thinking that the forwarding (natd)
rule may be wrong.
My gateway/firewall machine is multiplexing multiple internal-network
machines to a single cable modem connection by using natd. Everything
but this VPN tunnellling seems to be working peachy.
Here's what I'm enabling in the kernel that I believe to be related:
-------------------------------------------------------------------------------
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# options IPFIREWALL_FORWARD #enable transparent proxy
support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
# options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
default
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
options IPDIVERT #divert sockets
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/
IPSEC)
options IPSEC_DEBUG #debug for IP security
-------------------------------------------------------------------------------
And here are the rules that are intended to let the relavent packets
through.
fwcmd is ipfw;
inet/imask is the inside network; and
onet/omask is the outside network.
-------------------------------------------------------------------------------
ntvpn=any
${fwcmd} add divert natd log udp from ${inet}:${imask} 500 to ${ntvpn}
500
${fwcmd} add accept log udp from ${onet}:${omask} 500 to ${ntvpn} 500
${fwcmd} add accept log udp from ${ntvpn} 500 to ${onet}:${omask} 500
${fwcmd} add accept log udp from ${ntvpn} 500 to ${inet}:${imask} 500
${fwcmd} add divert natd log esp from ${inet}:${imask} 500 to ${ntvpn}
500
${fwcmd} add accept log esp from ${onet}:${omask} 500 to ${ntvpn} 500
${fwcmd} add accept log esp from ${ntvpn} 500 to ${onet}:${omask} 500
-------------------------------------------------------------------------------
--
"Brian, the man from babble-on" bts@babbleon.org
Brian T. Schellenberger http://www.babbleon.org
Support http://www.eff.org. Support decss defendents.
Support http://www.programming-freedom.org. Boycott amazon.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6A7655.E428629D>