From owner-freebsd-ipfw Sat Jan 20 21:44: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail7.nc.rr.com (fe7.southeast.rr.com [24.93.67.54]) by hub.freebsd.org (Postfix) with ESMTP id 0C1DD37B400 for ; Sat, 20 Jan 2001 21:43:47 -0800 (PST) Received: from babbleon.org ([24.163.43.236]) by mail7.nc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Sun, 21 Jan 2001 00:43:45 -0500 Message-ID: <3A6A7655.E428629D@babbleon.org> Date: Sun, 21 Jan 2001 00:40:37 -0500 From: The Babbler Organization: None to speak of X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.15-4mdk i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IPSEC tunnelling Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I realize that the official charter of this group is to work on the *new* firewall code, and I'm working at RELEASE, which doesn't qualify, but I have tried freebsd-questions and been met with overwhelming silence, and this seems to me to be the closest group, so I hope you folks will be willing to indulge me. And pointing me at the doc is more than fine. I've tried searching the www.freebsd.org site, but didn't find anything relavent there. Of course I can't recall any occaison when I ever have . . . Anyway, I'm trying to get my FreeBSD gateway/firewall machine set up so that it will allow my wife's VPN access to work; this requires IPSEC packets to get through. Has anybody done this? Any helpful hints? I turned on the IPSEC and the tunneling options in the kernel (details below) and I'm letting "esp" and "udp" packets through (again, details are below). FWIW, I tried this in Linux and couldn't ever get it to work; this was a motivation for trying FreeBSD. It's still not working, but I can at least follow the network traffic better in FreeBSD, which at least let me fix my rules. (The rules I used under Linux seem to have been bad.) At this point, it *looks* from the security logs as if all related packets are getting through, but the VPN still can't connect so I'm missing something somewhere. I'm thinking that the forwarding (natd) rule may be wrong. My gateway/firewall machine is multiplexing multiple internal-network machines to a single cable modem connection by using natd. Everything but this VPN tunnellling seems to be working peachy. Here's what I'm enabling in the kernel that I believe to be related: ------------------------------------------------------------------------------- # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity # options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default # IPDIVERT enables the divert IP sockets, used by ``ipfw divert'' options IPDIVERT #divert sockets options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security ------------------------------------------------------------------------------- And here are the rules that are intended to let the relavent packets through. fwcmd is ipfw; inet/imask is the inside network; and onet/omask is the outside network. ------------------------------------------------------------------------------- ntvpn=any ${fwcmd} add divert natd log udp from ${inet}:${imask} 500 to ${ntvpn} 500 ${fwcmd} add accept log udp from ${onet}:${omask} 500 to ${ntvpn} 500 ${fwcmd} add accept log udp from ${ntvpn} 500 to ${onet}:${omask} 500 ${fwcmd} add accept log udp from ${ntvpn} 500 to ${inet}:${imask} 500 ${fwcmd} add divert natd log esp from ${inet}:${imask} 500 to ${ntvpn} 500 ${fwcmd} add accept log esp from ${onet}:${omask} 500 to ${ntvpn} 500 ${fwcmd} add accept log esp from ${ntvpn} 500 to ${onet}:${omask} 500 ------------------------------------------------------------------------------- -- "Brian, the man from babble-on" bts@babbleon.org Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message