From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 15:33:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37A8437B401 for ; Wed, 30 Apr 2003 15:33:39 -0700 (PDT) Received: from newton.pconline.com (newton.pconline.com [206.145.48.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 750EE43FB1 for ; Wed, 30 Apr 2003 15:33:38 -0700 (PDT) (envelope-from chris@pconline.com) Received: from localhost (chris@localhost) by newton.pconline.com (8.11.6/8.11.6) with ESMTP id h3UMYW408733 for ; Wed, 30 Apr 2003 17:34:33 -0500 Date: Wed, 30 Apr 2003 17:34:32 -0500 (CDT) From: Chris Kesler To: freebsd-security@freebsd.org In-Reply-To: <20030430190041.1297337B405@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 22:33:39 -0000 Guy Middleton wrote: > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ Guy, I do this on my FreeBSD firewall, using IPF and IPNAT. I have Nortel's Extranet Access Client on a PC. I use it to connect to a Nortel Contivity VPN switch at work. I figured that, if any off-the-shelf broadband router can do it, then I should be able to do it. It took some time and patience and a lot of packet captures, but I got it. There are two types of traffic that you must allow to pass through. ISAKMP, which is UDP port 500. And ESP, which is IP protocol 50. I'm not sure if the following is true for all IPSec implementations, but in my case, the VPN switch at the office would drop the ISAKMP packet unless it was both sourced and destined for UDP 500. After I added these two rules to my /etc/ipnat.rules file, I have been able to connect to my work via VPN. ################################### # For VPN key exchange, must be UDP 500 for both source and destination ################################### map xl0 from 192.168.1.0/24 port = isakmp to any port = isakmp -> 0/32 ################################### # Catchall for non-TCP and non-UDP, i.e. ICMP, and ESP for VPN ################################### map xl0 192.168.1.0/24 -> 0/32 Of course, you'll have to allow both these types of traffic into your private LAN. In my case, I did not require additional rules in my ipf.rules file, because I already allow all Internet bound traffic from my private LAN to go out. And the return traffic is allowed in, thanks to the "keep state" feature if IPFilter. Good luck! -Chris