From owner-freebsd-security@FreeBSD.ORG Thu May 1 04:29:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C4A837B401 for ; Thu, 1 May 2003 04:29:07 -0700 (PDT) Received: from chomsky.sohotech.ca (ottawa-hs-64-26-169-251.s-ip.magma.ca [64.26.169.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF7F243F3F for ; Thu, 1 May 2003 04:29:06 -0700 (PDT) (envelope-from vmsmith@grokking.org) Received: from conrad.sohotech.ca (conrad.sohotech.ca [192.168.1.2]) by chomsky.sohotech.ca (8.12.6p2/8.12.6) with ESMTP id h41BT4a4017847 for ; Thu, 1 May 2003 07:29:04 -0400 (EDT) (envelope-from vmsmith@grokking.org) Received: from [192.168.1.4] ([192.168.1.4]) by conrad.sohotech.ca with Microsoft SMTPSVC(5.0.2195.5329); Thu, 1 May 2003 07:29:04 -0400 From: "V.M.Smith" To: freebsd-security@freebsd.org In-Reply-To: <20030430190040.A78C937B407@hub.freebsd.org> References: <20030430190040.A78C937B407@hub.freebsd.org> Content-Type: text/plain Organization: Message-Id: <1051788543.641.31.camel@thoreau.sohotech.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 01 May 2003 07:29:04 -0400 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 May 2003 11:29:04.0377 (UTC) FILETIME=[DEE88690:01C30FD4] Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 11:29:08 -0000 Hi, Looks like you just want client-side "pass-through" functionality. If this is correct, try using ipf/ipnat and write a map proxy rule in /etc/ipnat.rules. I use this, assuming ipf/ipnat on a dual-homed gateway: [NOTE: this should appear BEFORE other map entries.] map -> 0/32 proxy port 500 ipsec/udp Then make sure your /etc/ipf.rules have appropriate entries to support it. I use these: pass in quick on proto 50 from any to any keep state pass in quick on proto udp from any port = 500 to any keep state Try using tcpdump on the gateway to determine any additional needs specific to your implementation and topology. Set aside some time and be prepared to tinker... Hope that helps, VS On Wed, 2003-04-30 at 15:00, freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. how to configure a FreeBSD firewall to pass IPSec? (Guy Middleton) > 2. Re: how to configure a FreeBSD firewall to pass IPSec? > (David G. Andersen) > 3. Re: how to configure a FreeBSD firewall to pass IPSec? > (Lowell Gilbert) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 30 Apr 2003 09:45:37 -0400 > From: Guy Middleton > Subject: how to configure a FreeBSD firewall to pass IPSec? > To: freebsd-security@freebsd.org > Message-ID: <20030430094537.A20710@chaos.obstruction.com> > Content-Type: text/plain; charset=us-ascii > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ > > Message: 2 > Date: Wed, 30 Apr 2003 07:55:27 -0600 > From: "David G. Andersen" > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > To: Guy Middleton > Cc: freebsd-security@freebsd.org > Message-ID: <20030430075527.A54362@cs.utah.edu> > Content-Type: text/plain; charset=us-ascii > > Guy Middleton just mooed: > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's probably using either ipip, esp, or ipencap. tcpdump the > traffic, and then permit whichever protocol it's using. > > permit esp from foo to bar > > -Dave