Date: Fri, 18 Jun 2004 14:46:31 -0500 From: Jim Freeze <jim@freeze.org> To: FreeBSD-questions@FreeBSD.org Subject: Re: natd firewall settings for vpn Message-ID: <20040618194631.GA4259@freeze.org> In-Reply-To: <20040618090710.068013f3.wmoran@potentialtech.com> References: <20040618051102.GA692@freeze.org> <20040618090710.068013f3.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Protocol 50 is ESP, or encapsulating security payload
> Protocol 51 is AH, or authentication header
>
Ok, thanks.
> The trick here with NAT is that AH will build a checksum of the IP
> header, which includes the private IP address of your laptop. Since NAT
> changes this IP address, the destination will dump the packet since the
> AH checksum will fail.
>
> When the laptop is behind the gateway, are you using private addresses
> on the LAN while running NATD with the 'open' rule set? If yes, then
> you aren't using AH, but only ESP.
I'm not sure what you are driving at here.
I think the answer is yes. The IP of clients on my LAN
are 192.168.0.x.
As far as the 'open' rule is concerned, I just used that to
test if Contivity worked. I'm not sure what you mean by not using AH.
When using the 'open' firewall ruleset, I did not have to
add any rules for ESP or AH.
> Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD
> firewall/router, which runs IPFW2 with NATD. The rules that you have
> above look ok. Have you tried setting up a static NAT translation in
> /etc/natd.conf for inbound UDP/500? Something like...
>
> redirect_port udp 192.168.1.1:500 500
>
> where 192.168.1.1 is the IP addr of your laptop. Also, here are the
> relevant rules from my rc.firewall:
>
Would I use this in addition to the firewall rules?
> ${fwcmd} add 5000 divert natd all from any to any via ${wan_if}
> #
> ${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if}
> ${fwcmd} add queue 80 esp from any to any out xmit ${wan_if}
> ${fwcmd} add queue 50 esp from any to any in recv ${lan_if}
> ${fwcmd} add queue 60 esp from any to any out xmit ${lan_if}
> #
> ${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any
> dst-port=
> 500 in recv ${lan_if}
> ${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit
> ${wan=
> _if}
> ${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port
> 500 i=
> n recv ${wan_if}
> ${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port
> 500 o=
> ut xmit ${lan_if}
>
> *NOTE* that the ESP and ISAKMP rules come AFTER the divert rule.
These rules look a little different. Should adding the AH be all I
need or do I need to replace my rules with the one you list above?
--
Jim Freeze
Anarchy may not be the best form of government, but it's better than no
government at all.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040618194631.GA4259>