From owner-freebsd-isp Sun Dec 22 16:36:32 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DABC37B401 for ; Sun, 22 Dec 2002 16:36:30 -0800 (PST) Received: from pendragon.tacni.net (radius.tacni.net [64.247.218.2]) by mx1.FreeBSD.org (Postfix) with SMTP id A9EBC43EE5 for ; Sun, 22 Dec 2002 16:36:29 -0800 (PST) (envelope-from tom.oneil@tacni.com) Received: (qmail 3900 invoked by alias); 23 Dec 2002 00:36:18 -0000 Received: from unknown (HELO tacni.com) (66.190.75.60) by pendragon.tacni.net with SMTP; 23 Dec 2002 00:36:18 -0000 Message-ID: <3E065A9E.2050301@tacni.com> Date: Sun, 22 Dec 2002 18:36:46 -0600 From: Tom ONeil User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Free Subject: ipnat Cisco VPN problem Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings all and happy holidays; I have a 4.5-STABLE FreeBSD box using ipfilter and ipnat as a firewall/NAT box. It only allows one Cisco VPN client at a time to connect unless external IP's are mapped one-to-one. It will attempt to make the port 500 connection but does not seem to be assigning/allowing variable port after the first one connects using port 10000. I suspect this is because of the ipnat rule map fxp0 192.168.1.0/24 -> xxx.xxx.xxx.xxx/32 that is sending all the traffic through one IP. I opened up the rules completely to eliminate that as a possibility. I confess much of this I am regurgitating from the Cisco docs, but (of course) the firewall guy is on vacation........ Using trafshow I can see the attempted connections on port 500. Directions, FAQ's, requests for more info, etc. all welcome. These are the VPN rulesets in place now; # Inbound pass in quick on fxp0 proto tcp from any to any port = 1723 flags S keep state pass out quick on fxp0 proto tcp from any to any port = 1723 flags S keep state pass in quick on fxp0 proto 47 from any to any pass out quick on fxp0 proto 47 from any to any pass in quick on fxp0 proto 50 from any to any pass out quick on fxp0 proto 50 from any to any pass in quick on fxp0 proto 51 from any to any pass out quick on fxp0 proto 51 from any to any pass in quick on fxp0 proto udp from any port = 500 to any port = 500 pass out quick on fxp0 proto udp from any port = 500 to any port = 500 ## Outgoing VPN Rules pass in quick on fxp1 proto tcp from any to any port = 1723 flags S keep state pass out quick on fxp1 proto tcp from any to any port = 1723 flags S keep state pass in quick on fxp1 proto 47 from any to any pass out quick on fxp1 proto 47 from any to any pass in quick on fxp1 proto esp from any to any pass out quick on fxp1 proto esp from any to any pass in quick on fxp1 proto ah from any to any pass out quick on fxp1 proto ah from any to any pass in quick on fxp1 proto ipencap from any to any pass out quick on fxp1 proto ipencap from any to any pass in quick on fxp1 proto udp from any port = 500 to any port = 500 pass out quick on fxp1 proto udp from any port = 500 to any port = 500 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message