Date: Thu, 29 Nov 2001 08:49:07 -0500 (EST) From: "H. Wade Minter" <minter@lunenburg.org> To: questions@freebsd.org Subject: Allowing IPSec through FreeBSD/ipfw gateway Message-ID: <20011129083512.K23116-100000@bunning.skiltech.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm trying to connect two Linux FreeS/WAN IPSec machines together. One
lives out on the internet "at large", the other one is at my home on my
private subnet, behind a RELENG_4 firewall using ipfw.
My attempt at IPSec rules is:
# Attempt to allow IPSec
$fwcmd add allow udp from any to any in
$fwcmd add allow udp from any to any out
$fwcmd add allow tcp from any to any 500 in recv $extdev
$fwcmd add allow tcp from any to any 500 out recv $intdev
$fwcmd add allow log esp from any to xxx.xxx.xxx.xxx out
$fwcmd add allow log esp from xxx.xxx.xxx.xxx to any in
$fwcmd add allow ah from any to xxx.xxx.xxx.xxx
$fwcmd add allow ah from xxx.xxx.xxx.xxx to any
Where xxx.xxx.xxx.xxx is the remote IPSec machine. These rules ALMOST
work. When I start the Linux IPSec, I see:
[root@greenbay root]# ipsec auto --up ncwise-minter
104 "ncwise-minter" #1: STATE_MAIN_I1: initiate
106 "ncwise-minter" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2,
expecting MR2
108 "ncwise-minter" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3,
expecting MR3
004 "ncwise-minter" #1: STATE_MAIN_I4: ISAKMP SA established
112 "ncwise-minter" #2: STATE_QUICK_I1: initiate
And it hangs there. There's obviously one bit of traffic I'm not allowing
back through. Here's a tcpdump on the local end:
08:41:46.810515 xxx.xxx.xxx.xxx.isakmp > greenbay.lunenburg.org.isakmp:
isakmp: phase 1 R ident: [|sa] (DF)
08:41:46.822671 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
isakmp: phase 1 I ident: [|ke] (DF)
08:41:46.835754 courthouse.lunenburg.org.domain >
greenbay.lunenburg.org.32770: 55960 NXDomain* 0/1/0 (116)
08:41:47.056608 xxx.xxx.xxx.xxx.isakmp > greenbay.lunenburg.org.isakmp:
isakmp: phase 1 R ident: [|ke] (DF)
08:41:47.147461 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
isakmp: phase 1 I ident[E]: [|id] (DF)
08:41:47.562387 xxx.xxx.xxx.xxx.isakmp > greenbay.lunenburg.org.isakmp:
isakmp: phase 1 R ident[E]: [|id] (DF)
08:41:47.578860 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF)
08:41:57.572463 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF)
If anyone can point out the last little bit I need, I'd appreciate it!
--Wade
--
Do your part in the fight against injustice.
Free Dmitry Sklyarov! http://www.freesklyarov.org/
Fight the DMCA! http://www.anti-dmca.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011129083512.K23116-100000>