From owner-freebsd-ipfw Mon Oct 22 10:46:21 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 26C7F37B406 for ; Mon, 22 Oct 2001 10:46:17 -0700 (PDT) Received: (qmail 52373 invoked from network); 22 Oct 2001 17:45:51 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 22 Oct 2001 17:45:51 -0000 Message-ID: <013701c15b21$70faaf50$9865fea9@alexus> From: "alexus" To: Cc: References: <000901c1536c$fbe07850$0d00a8c0@alexus> <20011012210745.G6274@blossom.cjclark.org> Subject: Re: VPN/GRE/IP47 Date: Mon, 22 Oct 2001 13:46:12 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i didn't find anything there do you know which ports i should forward in order to make my vpn available for outside world? ----- Original Message ----- From: "Crist J. Clark" To: "alexus" Cc: Sent: Saturday, October 13, 2001 12:07 AM Subject: Re: VPN/GRE/IP47 > On Fri, Oct 12, 2001 at 06:26:48PM -0400, alexus wrote: > > just out of curiosity does ipfw supports VPN/GRE/IP47? and portforwarding in > > general? like regular tcp/udp port forwarding? > > "Forwarding?" You mean NAT? natd(8) does do PPTP. The best > documentation is to actually have a look at the code and in-line > comments, src/lib/libalias/alias_pptp.c. However, there are inherent > limitations due to the design of PPTP on what you can actually pull > off. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 23 1:45:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id E60E537B403 for ; Tue, 23 Oct 2001 01:45:17 -0700 (PDT) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 15vxBV-000Hrn-00 for ipfw@freebsd.org; Tue, 23 Oct 2001 10:45:17 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 15vxBU-000HrX-00; Tue, 23 Oct 2001 10:45:16 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 15vxBa-000JXi-00; Tue, 23 Oct 2001 10:45:22 +0200 Date: Tue, 23 Oct 2001 10:45:22 +0200 From: Barry Irwin To: snap-users@kame.net, ipfw@freebsd.org Subject: IPFW/IPSEC/NAT interaction issues with 4.4 Message-ID: <20011023104522.E87507@itouchlabs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 68679-1003826717-45788@mx1.dev.itouchnet.net version $Name: $ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi All I'm hoping someone here can shed some light on a problem I came across this morning. I have two VPN gateways connected to cisco VPN concentrators. These are running Freebsd 4.2-RELEASE and 4.4-RELEASE. The 4.2 based gateway has been functioning without hastles for a while now. however when I configured the 4.4 based system this morning, I ran into the problem that the IP packets seem to ne be being re-injected into the firewall ruleset after the ESP decapsulation. The firewall rulesets are identicle between the systems. This re-injection is neccessary for me to be able to then place the packet into a divert socket feeding natd, and from there onto the client machines behind the VPN gateway. Network diagram is as follows: [SERVER] - [FW] - [VPNC] --{INTERNET}-- [FBSD VPN GW/FW] -- [CLIENT] I can connect fine from the firewall itself to the SERVER. bash-2.05# telnet S.S.S.22 2300 Trying S.S.S.22... Connected to S.S.S.22. Escape character is '^]'. ^] telnet> q Connection closed. The firewall rules in place at this time are: 00040 allow udp from any 500 to any 500 00045 allow esp from any to any 00046 deny ip from S.S.S.22/24 to any 65535 allow ip from any to any My understanding is that rule 46 would deny the traffic, however an ipfw show 46 indicates that the rules is NOT matching ANY packets! bash-2.05# ipfw show 45 46 00045 9 896 allow esp from any to any 00046 0 0 deny ip from 203.20.35.0/24 to any Connections from the client are correctly natted, and go out, responses however also seem to be accepted by the FBSD firewall immediately after decryption. [bvi@client1 bvi]$ netstat -tn | grep 203 tcp 0 1 192.168.10.2:1615 203.20.35.22:2300 SYN_SENT and on the firewall Oct 23 18:13:38 off-fw1 /kernel: Connection attempt to TCP B.B.B.8:1615 from S.S.S.22:2300 Oct 23 18:13:56 off-fw1 last message repeated 2 times Oct 23 18:14:20 off-fw1 /kernel: Connection attempt to TCP B.B.B.8:1615 from S.S.S.22:2300 this proves that the packets are getting accepted by default witout the reinjection after decoding. B.B.B.8 being the IP address of the firewall, the endpoint of the VPN IPSEC/ESP Tunnel and the Address to which traffic from the client network is natted. The same setup works fine on the 4.2 system. My understanding of the packet flow process is: INet -> packet received with ESP -> passed through IP firewall ruleset -> packet matching IPSEC SP -> YES - Decrypt and re-inject -> NO IS it ipsec -> yes discard -> no re-inject -> reinjected packets passed through ipfirewall again -> ipfw passes packets off to NAT and things WORK :>> With 4.4 The process should work as above, however the packet appears to being accepted by the host as soon as it has been decrypted. Have checked the sysctls for ipsec, and the are the same, except for the adddition of the following one on the 4.4 box (which is undocumented??) net.inet.ipsec.esp_randpad: -1 Full sysctl output from the 4.4 box is: bash-2.05# sysctl -a | grep ipsec net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 1 net.inet.ipsec.esp_randpad: -1 NAT is operaring fine for all the connections NOT going through the IPSEC encapsulation. My thinking is that this is a bug in the IPSEC ESP handling in the version of the KAME stack integrated into 4.4? Has anyone got similar problems, suggestions for a fix ? Barry -- Barry Irwin Systems Administrator (Networks and Security) Itouch Labs bvi @ itouchlabs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 23 3:41:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 1654D37B405 for ; Tue, 23 Oct 2001 03:41:31 -0700 (PDT) Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f9NArLH33604; Tue, 23 Oct 2001 19:53:21 +0900 (JST) To: bvi@itouchlabs.com To: snap-users@kame.net, ipfw@freebsd.org Subject: Re: (KAME-snap 5576) IPFW/IPSEC/NAT interaction issues with 4.4 In-Reply-To: Your message of "Tue, 23 Oct 2001 10:45:22 +0200" <20011023104522.E87507@itouchlabs.com> References: <20011023104522.E87507@itouchlabs.com> X-Mailer: Cue version 0.6 (010810-1737/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011023194123V.sakane@kame.net> Date: Tue, 23 Oct 2001 19:41:23 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 16 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I'm hoping someone here can shed some light on a problem I came across this > morning. I have two VPN gateways connected to cisco VPN concentrators. > These are running Freebsd 4.2-RELEASE and 4.4-RELEASE. The 4.2 based > gateway has been functioning without hastles for a while now. however when > I configured the 4.4 based system this morning, I ran into the problem that > the IP packets seem to ne be being re-injected into the firewall ruleset > after the ESP decapsulation. The firewall rulesets are identicle between > the systems. This re-injection is neccessary for me to be able to then > place the packet into a divert socket feeding natd, and from there onto the > client machines behind the VPN gateway. how was the difference of the output of "netstat" before a encrypted packet arrived at the freebsd vpn box, and after the packet went away somewhere ? i have a report that "unknown/unsupported protocol" in the ipsec section of "netstat" is counted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 23 3:57: 9 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id A2FC437B405 for ; Tue, 23 Oct 2001 03:57:07 -0700 (PDT) Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe21:f766]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f9NB93H33694; Tue, 23 Oct 2001 20:09:03 +0900 (JST) To: bvi@itouchlabs.com Cc: snap-users@kame.net, ipfw@freebsd.org Subject: Re: (KAME-snap 5578) Re: IPFW/IPSEC/NAT interaction issues with 4.4 In-Reply-To: Your message of "Tue, 23 Oct 2001 19:41:23 +0900" <20011023194123V.sakane@kame.net> References: <20011023194123V.sakane@kame.net> X-Mailer: Cue version 0.6 (010810-1737/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011023195704M.sakane@kame.net> Date: Tue, 23 Oct 2001 19:57:04 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 8 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > how was the difference of the output of "netstat" before a encrypted > packet arrived at the freebsd vpn box, and after the packet went away > somewhere ? > i have a report that "unknown/unsupported protocol" in the ipsec section of > "netstat" is counted. oops, sorry, this is not in "ipsec" section. this is "ip" section. to make sure, use "netstat -s" because other value may be counted up. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message