From owner-freebsd-questions@FreeBSD.ORG Fri Jun 18 21:53:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C15716A4CE for ; Fri, 18 Jun 2004 21:53:47 +0000 (GMT) Received: from phoenix.gargantuan.com (rrcs-se-24-73-171-238.biz.rr.com [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96AD243D48 for ; Fri, 18 Jun 2004 21:53:46 +0000 (GMT) (envelope-from freebsd-questions@gargantuan.com) Received: from localhost (localhost.gargantuan.com [127.0.0.1]) by spamassassin-injector (Postfix) with SMTP id C3372427; Fri, 18 Jun 2004 17:53:17 -0400 (EDT) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 734E544B; Fri, 18 Jun 2004 17:52:40 -0400 (EDT) Date: Fri, 18 Jun 2004 17:52:40 -0400 From: "Michael W. Oliver" To: Jim Freeze Message-ID: <20040618215240.GE16261@gargantuan.com> Mail-Followup-To: Jim Freeze , FreeBSD-questions@FreeBSD.org References: <20040618051102.GA692@freeze.org> <20040618090710.068013f3.wmoran@potentialtech.com> <20040618194631.GA4259@freeze.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2JFBq9zoW8cOFH7v" Content-Disposition: inline In-Reply-To: <20040618194631.GA4259@freeze.org> X-WWW-Site: http://michael.gargantuan.com X-PGP-Public-Key: $X-WWW-Site/gnupg/pubkey.asc X-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Home-Address0: 8008 Apache Lane X-Home-Address1: Lakeland, FL X-Home-Address2: 33810-2172 X-Home-Address3: United States of America X-Good-Question-Guide: http://www.catb.org/~esr/faqs/smart-questions.html X-Netiquette-Guidelines: http://www.ietf.org/rfc/rfc1855.txt User-Agent: Mutt/1.5.6i X-Spam-DCC: : X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on phoenix.gargantuan.com X-Spam-Level: X-Spam-Status: No, hits=-3.2 required=5.0 tests=AWL,BAYES_00,NO_DNS_FOR_FROM autolearn=no version=2.63 cc: FreeBSD-questions@FreeBSD.org Subject: Re: natd firewall settings for vpn X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 21:53:47 -0000 --2JFBq9zoW8cOFH7v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004-06-18T14:46:31-0500, Jim Freeze wrote: > mike oliver wrote: > > The trick here with NAT is that AH will build a checksum of the IP > > header, which includes the private IP address of your laptop. Since NAT > > changes this IP address, the destination will dump the packet since the > > AH checksum will fail. > >=20 > > When the laptop is behind the gateway, are you using private addresses > > on the LAN while running NATD with the 'open' rule set? If yes, then > > you aren't using AH, but only ESP. > > I'm not sure what you are driving at here. > I think the answer is yes. The IP of clients on my LAN > are 192.168.0.x. Then you are indeed using NATD, which means... > As far as the 'open' rule is concerned, I just used that to > test if Contivity worked. I'm not sure what you mean by not using AH. > When using the 'open' firewall ruleset, I did not have to > add any rules for ESP or AH. =2E.. that you aren't using AH. I, too, connect to a Contivity using the Nortel client. I haven't configured a Contivity before, but a buddy (that works in "LABS" for the company that I work for) works on them all the time, and he confirmed that the Contivity supports IPSec with or without AH. The point here is that you can't use AH in conjunction with NAT since AH computes the checksum of the IP header, which includes your 192.168.0.x address. Using NAT will change the source IP address, leaving the checksum invalid. > > Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD > > firewall/router, which runs IPFW2 with NATD. The rules that you have > > above look ok. Have you tried setting up a static NAT translation in > > /etc/natd.conf for inbound UDP/500? Something like... > >=20 > > redirect_port udp 192.168.1.1:500 500 >=20 > Would I use this in addition to the firewall rules? Yes. > > ${fwcmd} add 5000 divert natd all from any to any via ${wan_if} > > # > > ${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if} > > ${fwcmd} add queue 80 esp from any to any out xmit ${wan_if} > > ${fwcmd} add queue 50 esp from any to any in recv ${lan_if} > > ${fwcmd} add queue 60 esp from any to any out xmit ${lan_if} > > # > > ${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any dst-= port 500 in recv ${lan_if} > > ${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit $= {wan_if} > > ${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port 5= 00 in recv ${wan_if} > > ${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port 5= 00 out xmit ${lan_if} > >=20 > > *NOTE* that the ESP and ISAKMP rules come AFTER the divert rule. >=20 > These rules look a little different. Should adding the AH be all I=20 > need or do I need to replace my rules with the one you list above? I don't have any rules for AH (protocol 51), and you won't need them either. --=20 Mike perl -e 'print unpack("u","88V]N=3D&%C=3D\"!I;F9O(&EN(&AE861E