Date: Wed, 30 Apr 2003 17:34:32 -0500 (CDT) From: Chris Kesler <chris@pconline.com> To: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? Message-ID: <Pine.LNX.4.44.0304301720010.29786-100000@newton.pconline.com> In-Reply-To: <20030430190041.1297337B405@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Guy Middleton wrote: > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ Guy, I do this on my FreeBSD firewall, using IPF and IPNAT. I have Nortel's Extranet Access Client on a PC. I use it to connect to a Nortel Contivity VPN switch at work. I figured that, if any off-the-shelf broadband router can do it, then I should be able to do it. It took some time and patience and a lot of packet captures, but I got it. There are two types of traffic that you must allow to pass through. ISAKMP, which is UDP port 500. And ESP, which is IP protocol 50. I'm not sure if the following is true for all IPSec implementations, but in my case, the VPN switch at the office would drop the ISAKMP packet unless it was both sourced and destined for UDP 500. After I added these two rules to my /etc/ipnat.rules file, I have been able to connect to my work via VPN. ################################### # For VPN key exchange, must be UDP 500 for both source and destination ################################### map xl0 from 192.168.1.0/24 port = isakmp to any port = isakmp -> 0/32 ################################### # Catchall for non-TCP and non-UDP, i.e. ICMP, and ESP for VPN ################################### map xl0 192.168.1.0/24 -> 0/32 Of course, you'll have to allow both these types of traffic into your private LAN. In my case, I did not require additional rules in my ipf.rules file, because I already allow all Internet bound traffic from my private LAN to go out. And the return traffic is allowed in, thanks to the "keep state" feature if IPFilter. Good luck! -Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0304301720010.29786-100000>