Date: Fri, 30 Nov 2001 08:38:15 -0500 (EST) From: Scott Nolde <scott@smnolde.com> To: "Oliver, Michael W." <oliver.michael@gargantuan.com> Cc: "H. Wade Minter" <minter@lunenburg.org>, <questions@FreeBSD.ORG> Subject: RE: Allowing IPSec through FreeBSD/ipfw gateway Message-ID: <20011130083316.U96278-100000@bsd.smnolde.com> In-Reply-To: <1DA741CA6767A144BAA4F10012536C27A916@LKLDDC01.GARGANTUAN.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
smacked into the keyboard previously by Oliver, Michael W.:
>Date: Fri, 30 Nov 2001 00:33:13 -0500
>From: "Oliver, Michael W." <oliver.michael@gargantuan.com>
>To: 'Scott Nolde' <scott@smnolde.com>, H. Wade Minter <minter@lunenburg.org>
>Cc: questions@FreeBSD.ORG
>Subject: RE: Allowing IPSec through FreeBSD/ipfw gateway
>
>You can't use AH behind a NAT firewall. When the packet is passed through
>NAT, the source IP address is altered to match your global IP address, but
>the AH is not altered, and therefore the destination (VPN Server) will dump
>the packet since there is a mis-match between the source IP of the packet,
>and the source IP specified in the AH. I have verified this action on
>several different VPN Servers (CheckPoint and Nortel Contivity, to name
>two). Sniff the LAN (and the outside NIC of your firewall, if possible) and
>you will see the source IP in the AH. To sum it up.... AH and NAT are like
>oil and water...
>
>In case you are interested, here are the rules that I use... They work like
>a champ...
>
>
>
># Allow IPSec clients to run behind firewall
># --- ISAKMP - allow key exchange over UDP 500
>${fwcmd} add pass udp from ${inet}:${imask} to any 500 in recv ${iif}
>${fwcmd} add pass udp from ${oip} to any 500 out xmit ${oif}
>${fwcmd} add pass udp from any 500 to ${inet}:${imask} in recv ${oif}
>${fwcmd} add pass udp from any 500 to ${inet}:${imask} out xmit ${iif}
># --- ESP - allow protocol 50 (ESP) for everyone ;-)
>${fwcmd} add pass esp from any to any
>
>
>
>If at all possible, try NOT using AH... HTH.....
>
>===========
>Michael Oliver
>
>
I can only vouch for my experience with the Cisco VPN 3000 client on my
win2k laptop which accesses the VPN server without any problems behind my
ipfw NAT firewall.
Likewise, there's no need for me to dispute your ruleset either, since
they are much more refined than mine and restrict traffic to exactly
what is needed.
Perhaps these things need to be put in a VPN FAQ somewhere.
Thanks,
Scott
>> -----Original Message-----
>> From: Scott Nolde [mailto:scott@smnolde.com]
>> Sent: Thursday, November 29, 2001 9:35 AM
>> To: H. Wade Minter
>> Cc: questions@FreeBSD.ORG
>> Subject: Re: Allowing IPSec through FreeBSD/ipfw gateway
>>
>>
>> Make your rules simpler without degrading the effectiveness of your
>> firewall. I run natd on my firewall, but have these rules in
>> place before
>> the divert statement:
>>
>> ipfw allow ip from any to ${VPN}
>> ipfw allow ip from ${VPN} to any
>>
>> where ${VPN} is the other enpoint of the VPN server.
>>
>> Try that and then get a little tighter once you sniff the
>> traffic more.
>>
>> - Scott
>>
>> smacked into the keyboard previously by
>> owner-freebsd-questions@FreeBSD.ORG:
>>
>> >Date: Thu, 29 Nov 2001 08:49:07 -0500 (EST)
>> >From: H. Wade Minter <minter@lunenburg.org>
>> >To: questions@FreeBSD.ORG
>> >Subject: Allowing IPSec through FreeBSD/ipfw gateway
>> >
>> >Hello,
>> >
>> >I'm trying to connect two Linux FreeS/WAN IPSec machines
>> together. One
>> >lives out on the internet "at large", the other one is at
>> my home on my
>> >private subnet, behind a RELENG_4 firewall using ipfw.
>> >
>> >My attempt at IPSec rules is:
>> > # Attempt to allow IPSec
>> > $fwcmd add allow udp from any to any in
>> > $fwcmd add allow udp from any to any out
>> > $fwcmd add allow tcp from any to any 500 in recv $extdev
>> > $fwcmd add allow tcp from any to any 500 out recv $intdev
>> > $fwcmd add allow log esp from any to xxx.xxx.xxx.xxx out
>> > $fwcmd add allow log esp from xxx.xxx.xxx.xxx to any in
>> > $fwcmd add allow ah from any to xxx.xxx.xxx.xxx
>> > $fwcmd add allow ah from xxx.xxx.xxx.xxx to any
>> >
>> >Where xxx.xxx.xxx.xxx is the remote IPSec machine. These
>> rules ALMOST
>> >work. When I start the Linux IPSec, I see:
>> >
>> >[root@greenbay root]# ipsec auto --up ncwise-minter
>> >104 "ncwise-minter" #1: STATE_MAIN_I1: initiate
>> >106 "ncwise-minter" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2,
>> >expecting MR2
>> >108 "ncwise-minter" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3,
>> >expecting MR3
>> >004 "ncwise-minter" #1: STATE_MAIN_I4: ISAKMP SA established
>> >112 "ncwise-minter" #2: STATE_QUICK_I1: initiate
>> >
>> >And it hangs there. There's obviously one bit of traffic
>> I'm not allowing
>> >back through. Here's a tcpdump on the local end:
>> >
>> >08:41:46.810515 xxx.xxx.xxx.xxx.isakmp >
>> greenbay.lunenburg.org.isakmp:
>> >isakmp: phase 1 R ident: [|sa] (DF)
>> >08:41:46.822671 greenbay.lunenburg.org.isakmp >
>> xxx.xxx.xxx.xxx.isakmp:
>> >isakmp: phase 1 I ident: [|ke] (DF)
>> >08:41:46.835754 courthouse.lunenburg.org.domain >
>> >greenbay.lunenburg.org.32770: 55960 NXDomain* 0/1/0 (116)
>> >08:41:47.056608 xxx.xxx.xxx.xxx.isakmp >
>> greenbay.lunenburg.org.isakmp:
>> >isakmp: phase 1 R ident: [|ke] (DF)
>> >08:41:47.147461 greenbay.lunenburg.org.isakmp >
>> xxx.xxx.xxx.xxx.isakmp:
>> >isakmp: phase 1 I ident[E]: [|id] (DF)
>> >08:41:47.562387 xxx.xxx.xxx.xxx.isakmp >
>> greenbay.lunenburg.org.isakmp:
>> >isakmp: phase 1 R ident[E]: [|id] (DF)
>> >08:41:47.578860 greenbay.lunenburg.org.isakmp >
>> xxx.xxx.xxx.xxx.isakmp:
>> >isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF)
>> >08:41:57.572463 greenbay.lunenburg.org.isakmp >
>> xxx.xxx.xxx.xxx.isakmp:
>> >isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF)
>> >
>> >If anyone can point out the last little bit I need, I'd
>> appreciate it!
>> >
>> >--Wade
>> >
Scott Nolde
GPG Key 0xD869AB48
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011130083316.U96278-100000>