From owner-freebsd-questions@FreeBSD.ORG Fri Jun 18 19:44:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96C3016A4CE for ; Fri, 18 Jun 2004 19:44:46 +0000 (GMT) Received: from freeze.org (freeze.org [64.191.147.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id E503C43D45 for ; Fri, 18 Jun 2004 19:44:45 +0000 (GMT) (envelope-from jfreeze@freeze.org) Received: from freeze.org (localhost [127.0.0.1]) by freeze.org (8.12.10/8.12.10) with ESMTP id i5IJkWX7004358 for ; Fri, 18 Jun 2004 14:46:32 -0500 (EST) (envelope-from jfreeze@freeze.org) Received: (from jfreeze@localhost) by freeze.org (8.12.10/8.12.10/Submit) id i5IJkWRU004357 for FreeBSD-questions@FreeBSD.org; Fri, 18 Jun 2004 14:46:32 -0500 (EST) (envelope-from jfreeze) Date: Fri, 18 Jun 2004 14:46:31 -0500 From: Jim Freeze To: FreeBSD-questions@FreeBSD.org Message-ID: <20040618194631.GA4259@freeze.org> References: <20040618051102.GA692@freeze.org> <20040618090710.068013f3.wmoran@potentialtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040618090710.068013f3.wmoran@potentialtech.com> User-Agent: Mutt/1.4.1i Name: Jim Freeze Phone: (859) 396-5439 Web-Pages: http://www.freeze.org http://www.freebsdportal.com Subject: Re: natd firewall settings for vpn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 19:44:46 -0000 > Protocol 50 is ESP, or encapsulating security payload > Protocol 51 is AH, or authentication header > Ok, thanks. > The trick here with NAT is that AH will build a checksum of the IP > header, which includes the private IP address of your laptop. Since NAT > changes this IP address, the destination will dump the packet since the > AH checksum will fail. > > When the laptop is behind the gateway, are you using private addresses > on the LAN while running NATD with the 'open' rule set? If yes, then > you aren't using AH, but only ESP. I'm not sure what you are driving at here. I think the answer is yes. The IP of clients on my LAN are 192.168.0.x. As far as the 'open' rule is concerned, I just used that to test if Contivity worked. I'm not sure what you mean by not using AH. When using the 'open' firewall ruleset, I did not have to add any rules for ESP or AH. > Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD > firewall/router, which runs IPFW2 with NATD. The rules that you have > above look ok. Have you tried setting up a static NAT translation in > /etc/natd.conf for inbound UDP/500? Something like... > > redirect_port udp 192.168.1.1:500 500 > > where 192.168.1.1 is the IP addr of your laptop. Also, here are the > relevant rules from my rc.firewall: > Would I use this in addition to the firewall rules? > ${fwcmd} add 5000 divert natd all from any to any via ${wan_if} > # > ${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if} > ${fwcmd} add queue 80 esp from any to any out xmit ${wan_if} > ${fwcmd} add queue 50 esp from any to any in recv ${lan_if} > ${fwcmd} add queue 60 esp from any to any out xmit ${lan_if} > # > ${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any > dst-port= > 500 in recv ${lan_if} > ${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit > ${wan= > _if} > ${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port > 500 i= > n recv ${wan_if} > ${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port > 500 o= > ut xmit ${lan_if} > > *NOTE* that the ESP and ISAKMP rules come AFTER the divert rule. These rules look a little different. Should adding the AH be all I need or do I need to replace my rules with the one you list above? -- Jim Freeze Anarchy may not be the best form of government, but it's better than no government at all.