Date: Thu, 2 Nov 2000 15:29:57 +0100 (CET) From: Christian Ruediger Bahls <christian@it-netservice.de> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: anderson@centtech.com, security <security@FreeBSD.ORG> Subject: Re: pipsecd - thru port Message-ID: <Pine.BSF.4.21.0011021529180.2006-100000@phase2.intern.it-netservice.de> In-Reply-To: <200011021300.eA2D0s433714@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
not to forget udp/500 <-> udp/500 for ISAKMP/IKE :)) On Thu, 2 Nov 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message <3A002C78.7F3537D4@centtech.com>, Eric Anderson writes: > > I'm using ipsec (with pipsecd on two FreeBSD 4.1 machines) to build a > > VPN. I need to go thru a firewall, but I don't know which ports to > > forward thru, or if this is even possible.. So here's what I want to do: > > > > ----- ----- ------ > > | A | -----|FW |------| B | > > ----- ----- ------ > > > > machine A is a freebsd box inside the firewall (FW), B is the freebsd > > box outside the firewall attempting to connect to A thru FW, in other > > words, B thinks its connecting to FW port XX, but FW forwards port XX to > > port XX on A, connecting the vpn thru the FW.. I currently have VPN's > > set up with linux boxen with the SSH+PPP method, which works alright, it > > would just work a LOT better with ipsec and such.. So, what ports do i > > need to forward on FW to make this all work? > > Pipsecd and IPsec use ESP and AH, protocols 50 & 51 (/etc/protocols), > NOT services (ports as in /etc/services) 50 & 51. Your firewall must > be configured to pass packets matching the protocol. As a picture is > worth a thousand words, here are samples from one of my IP Filter > firewalls. > > pass in quick on xl0 proto esp from EXTERNAL_IP_ADDR to any > pass out quick on xl0 proto esp from any to EXTERNAL_IP_ADDR > pass in quick on xl0 proto ah from EXTERNAL_IP_ADDR to any > pass out quick on xl0 proto ah from any to EXTERNAL_IP_ADDR > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Christian Bahls Networking Dep. iT-netservice GmbH Leipzig, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011021529180.2006-100000>