From owner-freebsd-questions Thu Jan 18 6: 1:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail5.nc.rr.com (fe5.southeast.rr.com [24.93.67.52]) by hub.freebsd.org (Postfix) with ESMTP id 5E9CE37B400 for ; Thu, 18 Jan 2001 06:01:21 -0800 (PST) Received: from babbleon.org ([24.163.43.236]) by mail5.nc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Thu, 18 Jan 2001 09:01:20 -0500 Message-ID: <3A66F677.C56FD3A9@babbleon.org> Date: Thu, 18 Jan 2001 08:58:15 -0500 From: The Babbler Organization: None to speak of X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.15-4mdk i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: IPSEC tunneling References: <3A667B11.7BE15007@babbleon.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm going to follow up on my own post, which was a bit short of details. Here's what I'm enabling in the kernel that I believe to be related: ------------------------------------------------------------------------------- # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity # options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default # IPDIVERT enables the divert IP sockets, used by ``ipfw divert'' options IPDIVERT #divert sockets options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security ------------------------------------------------------------------------------- And here are the rules that are intended to let the relavent packets through. fwcmd is ipfw; inet/imask is the inside network; and onet/omask is the outside network. ------------------------------------------------------------------------------- ntvpn=any ${fwcmd} add divert natd log udp from ${inet}:${imask} 500 to ${ntvpn} 500 ${fwcmd} add accept log udp from ${onet}:${omask} 500 to ${ntvpn} 500 ${fwcmd} add accept log udp from ${ntvpn} 500 to ${onet}:${omask} 500 ${fwcmd} add accept log udp from ${ntvpn} 500 to ${inet}:${imask} 500 ${fwcmd} add divert natd log esp from ${inet}:${imask} 500 to ${ntvpn} 500 ${fwcmd} add accept log esp from ${onet}:${omask} 500 to ${ntvpn} 500 ${fwcmd} add accept log esp from ${ntvpn} 500 to ${onet}:${omask} 500 ------------------------------------------------------------------------------- The Babbler wrote: > > I'm trying to get my FreeBSD gateway/firewall machine set up so that > it will allow my wife's VPN access to work; this requires IPSEC packets > to get through. > > Has anybody done this? Any helpful hints? > > I turned on the IPSEC and the tunneling options in the kernel, > and I'm letting "esp" and "udp" packets through. > (For now, I'm basically letting all of 'em through.) > > FWIW, I tried this in Linux and couldn't ever get it to work; this was > a motivation for trying FreeBSD. It's still not working, but I can at > least follow the network traffic better in FreeBSD, which at least let > me fix my rules. (The rules I used under Linux were bad.) > > My gateway machine is multiplexing multiple internal-network machines > to a single cable modem connection by using the command to translate > packets. I suspect that something is going wrong there. > > [Sorry this is a little vague; for other reasons the machine isn't > currently booted into FreeBSD so I can't double-check the precise > settings at the moment.] > > -- > "Brian, the man from babble-on" bts@babbleon.org > Brian T. Schellenberger http://www.babbleon.org > Support http://www.eff.org. Support decss defendents. > Support http://www.programming-freedom.org. Boycott amazon.com. -- "Brian, the man from babble-on" bts@babbleon.org Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message