Date: Fri, 18 Jun 2004 17:52:40 -0400 From: "Michael W. Oliver" <freebsd-questions@gargantuan.com> To: Jim Freeze <jim@freeze.org> Cc: FreeBSD-questions@FreeBSD.org Subject: Re: natd firewall settings for vpn Message-ID: <20040618215240.GE16261@gargantuan.com> In-Reply-To: <20040618194631.GA4259@freeze.org> References: <20040618051102.GA692@freeze.org> <20040618090710.068013f3.wmoran@potentialtech.com> <20040618194631.GA4259@freeze.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--2JFBq9zoW8cOFH7v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004-06-18T14:46:31-0500, Jim Freeze wrote: > mike oliver wrote: > > The trick here with NAT is that AH will build a checksum of the IP > > header, which includes the private IP address of your laptop. Since NAT > > changes this IP address, the destination will dump the packet since the > > AH checksum will fail. > >=20 > > When the laptop is behind the gateway, are you using private addresses > > on the LAN while running NATD with the 'open' rule set? If yes, then > > you aren't using AH, but only ESP. > > I'm not sure what you are driving at here. > I think the answer is yes. The IP of clients on my LAN > are 192.168.0.x. Then you are indeed using NATD, which means... > As far as the 'open' rule is concerned, I just used that to > test if Contivity worked. I'm not sure what you mean by not using AH. > When using the 'open' firewall ruleset, I did not have to > add any rules for ESP or AH. =2E.. that you aren't using AH. I, too, connect to a Contivity using the Nortel client. I haven't configured a Contivity before, but a buddy (that works in "LABS" for the company that I work for) works on them all the time, and he confirmed that the Contivity supports IPSec with or without AH. The point here is that you can't use AH in conjunction with NAT since AH computes the checksum of the IP header, which includes your 192.168.0.x address. Using NAT will change the source IP address, leaving the checksum invalid. > > Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD > > firewall/router, which runs IPFW2 with NATD. The rules that you have > > above look ok. Have you tried setting up a static NAT translation in > > /etc/natd.conf for inbound UDP/500? Something like... > >=20 > > redirect_port udp 192.168.1.1:500 500 >=20 > Would I use this in addition to the firewall rules? Yes. > > ${fwcmd} add 5000 divert natd all from any to any via ${wan_if} > > # > > ${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if} > > ${fwcmd} add queue 80 esp from any to any out xmit ${wan_if} > > ${fwcmd} add queue 50 esp from any to any in recv ${lan_if} > > ${fwcmd} add queue 60 esp from any to any out xmit ${lan_if} > > # > > ${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any dst-= port 500 in recv ${lan_if} > > ${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit $= {wan_if} > > ${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port 5= 00 in recv ${wan_if} > > ${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port 5= 00 out xmit ${lan_if} > >=20 > > *NOTE* that the ESP and ISAKMP rules come AFTER the divert rule. >=20 > These rules look a little different. Should adding the AH be all I=20 > need or do I need to replace my rules with the one you list above? I don't have any rules for AH (protocol 51), and you won't need them either. --=20 Mike perl -e 'print unpack("u","88V]N=3D&%C=3D\"!I;F9O(&EN(&AE861E<G,*");' --2JFBq9zoW8cOFH7v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA02QosWv7q8X6o8kRAqtsAJ9hqy99q2DxcUvY0Y/EZvoY6ZLXRgCdF8Of /iO/9Om95qN6OGUhjwg4aRY= =FSJG -----END PGP SIGNATURE----- --2JFBq9zoW8cOFH7v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040618215240.GE16261>