Date: Thu, 14 Feb 2008 22:02:01 +0100 From: "Peter Blok" <peter.blok@bsd4all.org> To: "Nerius Landys" <nlandys@gmail.com>, <freebsd-net@freebsd.org> Subject: RE: PF firewall NAT and Windows IPSEC tunnel Message-ID: <FC126D427FFFE74988DAD93C091BF4A160F2@adexlinge10.LINGE10.local> In-Reply-To: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com> References: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm using this combination for a long time. Since the VPN client
initiates the VPN connection I have only provided NAT directives going
out.
nat pass on $ext_if proto { tcp, udp } from any to <vpn> port { isakmp }
-> ($ext_if:0) static-port
nat pass on $ext_if proto { udp } from any to <vpn> port { 10000 } ->
($ext_if:0) static-port
nat pass on $ext_if proto { tcp } from any to <vpn> port { 4005 } ->
($ext_if:0)
nat pass on $ext_if proto { esp } from any to <vpn> -> ($ext_if:0)
I think the static-port was doing he trick in my case.
BTW I think the nat pass will only work in FreeBSD-7. For FreeBSD-6 you
have to split this up in two lines, one nat and one pass.
Peter
-----Original Message-----
From: owner-freebsd-net@freebsd.org
[mailto:owner-freebsd-net@freebsd.org] On Behalf Of Nerius Landys
Sent: Thursday, February 14, 2008 7:00 PM
To: freebsd-net@freebsd.org
Subject: PF firewall NAT and Windows IPSEC tunnel
Howdy folks. I have several computers behind a FreeBSD router (NAT
192.168.0.x using OpenBSD's PF) . One of those computers is a Windows
machine which is using software called "Cisco Systems VPN Client" to
connect
to some other computers outside of our internal network. Our FreeBSD
router's connection to the outside world is DHCP via cable modem. I can
connect the Windows machine directly to the cable modem, bypassing the
FreeBSD router entirely; the VPN works fine in this case. However, when
I
try going through the FreeBSD router I get dropped VPN connections after
four to eight minutes; the VPN works fine only when it first connects
and
for five minutes thereafter.
Secure VPN Connection terminated locally by the client.
Reason 412: The remote peer is no longer responding.
We contacted the administrator on the other side and he said to do the
following:
The following ports should be allowed through the local firewall:
UDP port 500, port 10000
ESP all ports
AH all ports
I'm not quite sure what this means.
My original /etc/pf.conf:
ext_if=3D"fxp0"
int_if=3D"fxp3"
internal_net=3D"192.168.0.0/24
nat on $ext_if from $internal_net to any -> ($ext_if)
and I added these three lines in trying to follow the administrator's
instructions (the Windows machine is 192.168.0.3):
rdr on $ext_if proto udp from any to ($ext_if) port {500,10000} ->
192.168.0.3
rdr on $ext_if proto esp from any to ($ext_if) -> 192.168.0.3
rdr on $ext_if proto ah from any to ($ext_if) -> 192.168.0.3
But the VPN connections still get dropped after five minutes. Any
ideas?
I'm also running a bridge between several network interfaces.
My /etc/sysctl.conf looks like this:
net.link.ether.bridge.enable=3D1
net.link.ether.bridge.config=3Dem0,em1,fxp1,fxp2,fxp3
The interesting lines from /etc/rc.conf are:
ifconfig_fxp0=3D"DHCP"
ifconfig_fxp3=3D"inet 192.168.0.254 netmask 255.255.255.0"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
=20
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 2876 (20080214) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
=20
=20
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 2876 (20080214) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FC126D427FFFE74988DAD93C091BF4A160F2>