From owner-freebsd-questions@FreeBSD.ORG Tue Aug 11 05:39:02 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8786A10656B6 for ; Tue, 11 Aug 2009 05:39:00 +0000 (UTC) (envelope-from nlandys@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id 1D2558FC44 for ; Tue, 11 Aug 2009 05:38:58 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 3so1342802qwe.7 for ; Mon, 10 Aug 2009 22:38:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=iuGMdYuTOhHx9T3ZAb5HhqWlI+442BLHXcsx6bmAQ0k=; b=L2MB0dcybeLLol0oUUKoi0Bo0a8iZGltR/fRM8U82o9ycZvT/pnXZxxDiglrtnvBJ8 XjaNpgnLngiOXIzRsXMZceQ4OgBhj1RqlFYfTmhhec2rG2Xygl3RlY0S3vgii5odljF3 UTauEJo7HVs1kxkJbEt4RWDbHk/Ug5VF6L238= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=SG+LLQQgUa9diCZ/6VFwDE7MW3roHn06rNmg/RbDXKihrYJCXOmNpRUKntgzl+eIsj SQbqHdkcW1B0xJd2a+n3qb8O1/tnZvvZv3WuASK0JlINCxd7zgkMRdqJWstFIZJPVh/F oPCga1y7cF7sjKX5+uE/ELbKsXX18olVCK098= MIME-Version: 1.0 Received: by 10.229.99.208 with SMTP id v16mr1781363qcn.75.1249969138423; Mon, 10 Aug 2009 22:38:58 -0700 (PDT) In-Reply-To: <4A808393.80501@witchspace.com> References: <4A808393.80501@witchspace.com> Date: Mon, 10 Aug 2009 22:38:58 -0700 Message-ID: <560f92640908102238g3a0f0c2ai9fcc36fdb9227b29@mail.gmail.com> From: Nerius Landys To: Jonathan Belson Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: ipfw, NAT and CISCO IPSec VPNs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2009 05:39:16 -0000 > I've got a pretty standard network which uses a FreeBSD server to perform > NAT between my internal IPs (192.168.0.x) and the outside world. =A0Every= thing > is working tickety-boo, but I'm trying to tweak my firewall rules (ipfw, > based on the 'SsIiMmPpLlEe' firewall template in rc.firewall) to allow a > CISCO IPSec-based VPN client on a local machine to connect to a remote > server (tunnel). > > tcpdump shows that the client attempts to send packets to the remote VPN > server on port 500 (isakmp) as you'd expect, but it's not getting any > packets back and so the connection fails. > > The following suggests that you can solve the problem by not changing the > source port of the NATed packets, but gives a sample using pf: > > http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008749.html > > Other posts I've read say you can simply forward packets from the remote = VPN > server to the machine running the VPN client, but (needless to say) I > haven't been able to get this to work: > > http://groups.google.com/group/comp.unix.bsd/browse_thread/thread/85d775a= 73e352aa5/f62e6b0d67b2d576 > > Any suggestions from people who have done similar before? I'm very surprised that you wrote this email because I stayed up most of the night yesterday to fix a similar problem. I was running a NAT using the OpenBSD pf firewall on my FreeBSD 7.1 router. Yeah, everything was working fine just like in your case. One of the people at home (from within 192.168.0.x) are using Cisco VPN Client to do some IPSec/UDP something a rather (I don't know too much about this, frankly) and the connection kept timing out after 5 minutes. I tried just about every permutation of pf rules, form the very simple and minimalistic to the more elaborate. Nothing worked, still timed out after 5 minutes. I then did a sanity check and connected a simple Linksys router device to replace my FreeBSD router with the Linksys (direct replacement, same network configs). The Linksys did not cause the timeout issue. So I figured the FreeBSD router was the culprit. I then tried to do away with OpenBSD's pf, and I tried IPFILTER (IPF) Firewall. I created a one-liner rule in /etc/ipnat.rules: ap fxp4 192.168.0.0/24 -> 0/32 and I didn't even enable ipfilter in /etc/rc.conf, only ipnat. This was my minimalist test to see if perhaps pf was somehow to blame. It turns out that with IPFILTER all works well. So, I guess I'm sticking with IPFILTER.