Date: Thu, 14 Feb 2008 18:25:35 -0600 From: Matthew Grooms <mgrooms@shrew.net> To: nlandys@gmail.com Cc: freebsd-net@freebsd.org Subject: RE: PF firewall NAT and Windows IPSEC tunnel Message-ID: <47B4DBFF.6070207@shrew.net>
next in thread | raw e-mail | index | archive | help
Nerius, This sounds like a DPD timeout. The Cisco VPN client or Cisco gateway is probably not configured to use NAT-T or you are blocking UDP port 4500. Using the static-port trick will help in some instances where a client doesn't support NAT-T, but it also prevents multiple clients behind the pf firewall from communicating with the same gateway simultaneously. If thats not the case then no big deal. If so, its best to just NAT UDP port 4500 outbound normally for Cisco clients unless the Cisco gateway has NAT-T disabled. In legacy IPsec fashion, the client will establish its IKE session on the standard UDP port 500 and then pass ESP transport packets. With NAT-T enabled, the client will initiate IKE on port 500 and then switch to port 4500 if NAT is detected. ESP packets will be encapsulated in UDP and passed on port 4500 as well which is easier for NAT firewalls to deal with. The client should also issue keep-alive packets to prevent firewall state from being culled. Without this, no traffic would be sent while the client is idle and pf would drop state after 60secs by default. udp.first 60s udp.single 30s udp.multiple 60s other.first 60s other.single 30s other.multiple 60s If you don't see traffic on port 4500 but you do see ESP traffic, the other thing to try would be to increase the state lifetime for UDP port 500 and ESP traffic. Assuming DPD is enabled on the Cisco gateway, this would help avoid state timeout so that the client has more time between sending or receiving notifications. ESP shouldn't be too troublesome as there are no ports to translate ... unless you have multiple clients behind the same firewall trying to talk to the same gateway. But thats what NAT-T is for. Hope this helps, -Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47B4DBFF.6070207>