From owner-freebsd-net@FreeBSD.ORG Thu Feb 14 21:02:19 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5992716A46E for ; Thu, 14 Feb 2008 21:02:19 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from smtp20.nijmegen.internl.net (smtp20.nijmegen.internl.net [217.149.192.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1110213C4D1 for ; Thu, 14 Feb 2008 21:02:18 +0000 (UTC) (envelope-from peter.blok@bsd4all.org) Received: from mail.bsd4all.org (113-9.bbned.dsl.internl.net [82.215.9.113]) by smtp20.nijmegen.internl.net (8.13.8/2.04) with ESMTP id m1EL2F1t009254; Thu, 14 Feb 2008 22:02:16 +0100 (CET) Received: from localhost (mailgw [192.168.1.12]) by mail.bsd4all.org (Postfix) with ESMTP id 539E1508FE; Thu, 14 Feb 2008 22:02:15 +0100 (CET) X-Virus-Scanned: amavisd-new at bsd4all.org Received: from mail.bsd4all.org ([192.168.1.1]) by localhost (fwgw.homebrew.bsd4all.org [192.168.1.12]) (amavisd-new, port 10024) with ESMTP id A8OB3RzkuxDi; Thu, 14 Feb 2008 22:02:03 +0100 (CET) Received: from bsd4all.org (adexlinge10 [192.168.10.16]) by mail.bsd4all.org (Postfix) with ESMTP id DE964508F6; Thu, 14 Feb 2008 22:02:02 +0100 (CET) Date: Thu, 14 Feb 2008 22:02:01 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Message-ID: In-Reply-To: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com> Content-class: urn:content-classes:message X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF firewall NAT and Windows IPSEC tunnel X-MimeOLE: Produced By Microsoft Exchange V6.5.7235.2 thread-index: AchvN5BlAnYk02K+TneV/Pnjvp79twAFIePQ References: <560f92640802140959u69cce9dbuef5c59738a946685@mail.gmail.com> From: "Peter Blok" To: "Nerius Landys" , Cc: Subject: RE: PF firewall NAT and Windows IPSEC tunnel X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2008 21:02:19 -0000 I'm using this combination for a long time. Since the VPN client initiates the VPN connection I have only provided NAT directives going out. nat pass on $ext_if proto { tcp, udp } from any to port { isakmp } -> ($ext_if:0) static-port nat pass on $ext_if proto { udp } from any to port { 10000 } -> ($ext_if:0) static-port nat pass on $ext_if proto { tcp } from any to port { 4005 } -> ($ext_if:0) nat pass on $ext_if proto { esp } from any to -> ($ext_if:0) I think the static-port was doing he trick in my case. BTW I think the nat pass will only work in FreeBSD-7. For FreeBSD-6 you have to split this up in two lines, one nat and one pass. Peter -----Original Message----- From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Nerius Landys Sent: Thursday, February 14, 2008 7:00 PM To: freebsd-net@freebsd.org Subject: PF firewall NAT and Windows IPSEC tunnel Howdy folks. I have several computers behind a FreeBSD router (NAT 192.168.0.x using OpenBSD's PF) . One of those computers is a Windows machine which is using software called "Cisco Systems VPN Client" to connect to some other computers outside of our internal network. Our FreeBSD router's connection to the outside world is DHCP via cable modem. I can connect the Windows machine directly to the cable modem, bypassing the FreeBSD router entirely; the VPN works fine in this case. However, when I try going through the FreeBSD router I get dropped VPN connections after four to eight minutes; the VPN works fine only when it first connects and for five minutes thereafter. Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. We contacted the administrator on the other side and he said to do the following: The following ports should be allowed through the local firewall: UDP port 500, port 10000 ESP all ports AH all ports I'm not quite sure what this means. My original /etc/pf.conf: ext_if=3D"fxp0" int_if=3D"fxp3" internal_net=3D"192.168.0.0/24 nat on $ext_if from $internal_net to any -> ($ext_if) and I added these three lines in trying to follow the administrator's instructions (the Windows machine is 192.168.0.3): rdr on $ext_if proto udp from any to ($ext_if) port {500,10000} -> 192.168.0.3 rdr on $ext_if proto esp from any to ($ext_if) -> 192.168.0.3 rdr on $ext_if proto ah from any to ($ext_if) -> 192.168.0.3 But the VPN connections still get dropped after five minutes. Any ideas? I'm also running a bridge between several network interfaces. My /etc/sysctl.conf looks like this: net.link.ether.bridge.enable=3D1 net.link.ether.bridge.config=3Dem0,em1,fxp1,fxp2,fxp3 The interesting lines from /etc/rc.conf are: ifconfig_fxp0=3D"DHCP" ifconfig_fxp3=3D"inet 192.168.0.254 netmask 255.255.255.0" _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =20 __________ Information from ESET NOD32 Antivirus, version of virus signature database 2876 (20080214) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com =20 =20 __________ Information from ESET NOD32 Antivirus, version of virus signature database 2876 (20080214) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com =20