Date: Thu, 02 Nov 2000 04:59:54 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: anderson@centtech.com Cc: security <security@FreeBSD.ORG> Subject: Re: pipsecd - thru port Message-ID: <200011021300.eA2D0s433714@cwsys.cwsent.com> In-Reply-To: Your message of "Wed, 01 Nov 2000 08:45:12 CST." <3A002C78.7F3537D4@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <3A002C78.7F3537D4@centtech.com>, Eric Anderson writes: > I'm using ipsec (with pipsecd on two FreeBSD 4.1 machines) to build a > VPN. I need to go thru a firewall, but I don't know which ports to > forward thru, or if this is even possible.. So here's what I want to do: > > ----- ----- ------ > | A | -----|FW |------| B | > ----- ----- ------ > > machine A is a freebsd box inside the firewall (FW), B is the freebsd > box outside the firewall attempting to connect to A thru FW, in other > words, B thinks its connecting to FW port XX, but FW forwards port XX to > port XX on A, connecting the vpn thru the FW.. I currently have VPN's > set up with linux boxen with the SSH+PPP method, which works alright, it > would just work a LOT better with ipsec and such.. So, what ports do i > need to forward on FW to make this all work? Pipsecd and IPsec use ESP and AH, protocols 50 & 51 (/etc/protocols), NOT services (ports as in /etc/services) 50 & 51. Your firewall must be configured to pass packets matching the protocol. As a picture is worth a thousand words, here are samples from one of my IP Filter firewalls. pass in quick on xl0 proto esp from EXTERNAL_IP_ADDR to any pass out quick on xl0 proto esp from any to EXTERNAL_IP_ADDR pass in quick on xl0 proto ah from EXTERNAL_IP_ADDR to any pass out quick on xl0 proto ah from any to EXTERNAL_IP_ADDR Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011021300.eA2D0s433714>