Date: Thu, 29 Nov 2001 09:34:57 -0500 (EST) From: Scott Nolde <scott@smnolde.com> To: "H. Wade Minter" <minter@lunenburg.org> Cc: <questions@FreeBSD.ORG> Subject: Re: Allowing IPSec through FreeBSD/ipfw gateway Message-ID: <20011129093152.P95091-100000@bsd.smnolde.com> In-Reply-To: <20011129083512.K23116-100000@bunning.skiltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Make your rules simpler without degrading the effectiveness of your
firewall. I run natd on my firewall, but have these rules in place before
the divert statement:
ipfw allow ip from any to ${VPN}
ipfw allow ip from ${VPN} to any
where ${VPN} is the other enpoint of the VPN server.
Try that and then get a little tighter once you sniff the traffic more.
- Scott
smacked into the keyboard previously by owner-freebsd-questions@FreeBSD.ORG:
>Date: Thu, 29 Nov 2001 08:49:07 -0500 (EST)
>From: H. Wade Minter <minter@lunenburg.org>
>To: questions@FreeBSD.ORG
>Subject: Allowing IPSec through FreeBSD/ipfw gateway
>
>Hello,
>
>I'm trying to connect two Linux FreeS/WAN IPSec machines together. One
>lives out on the internet "at large", the other one is at my home on my
>private subnet, behind a RELENG_4 firewall using ipfw.
>
>My attempt at IPSec rules is:
> # Attempt to allow IPSec
> $fwcmd add allow udp from any to any in
> $fwcmd add allow udp from any to any out
> $fwcmd add allow tcp from any to any 500 in recv $extdev
> $fwcmd add allow tcp from any to any 500 out recv $intdev
> $fwcmd add allow log esp from any to xxx.xxx.xxx.xxx out
> $fwcmd add allow log esp from xxx.xxx.xxx.xxx to any in
> $fwcmd add allow ah from any to xxx.xxx.xxx.xxx
> $fwcmd add allow ah from xxx.xxx.xxx.xxx to any
>
>Where xxx.xxx.xxx.xxx is the remote IPSec machine. These rules ALMOST
>work. When I start the Linux IPSec, I see:
>
>[root@greenbay root]# ipsec auto --up ncwise-minter
>104 "ncwise-minter" #1: STATE_MAIN_I1: initiate
>106 "ncwise-minter" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2,
>expecting MR2
>108 "ncwise-minter" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3,
>expecting MR3
>004 "ncwise-minter" #1: STATE_MAIN_I4: ISAKMP SA established
>112 "ncwise-minter" #2: STATE_QUICK_I1: initiate
>
>And it hangs there. There's obviously one bit of traffic I'm not allowing
>back through. Here's a tcpdump on the local end:
>
>08:41:46.810515 xxx.xxx.xxx.xxx.isakmp > greenbay.lunenburg.org.isakmp:
>isakmp: phase 1 R ident: [|sa] (DF)
>08:41:46.822671 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
>isakmp: phase 1 I ident: [|ke] (DF)
>08:41:46.835754 courthouse.lunenburg.org.domain >
>greenbay.lunenburg.org.32770: 55960 NXDomain* 0/1/0 (116)
>08:41:47.056608 xxx.xxx.xxx.xxx.isakmp > greenbay.lunenburg.org.isakmp:
>isakmp: phase 1 R ident: [|ke] (DF)
>08:41:47.147461 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
>isakmp: phase 1 I ident[E]: [|id] (DF)
>08:41:47.562387 xxx.xxx.xxx.xxx.isakmp > greenbay.lunenburg.org.isakmp:
>isakmp: phase 1 R ident[E]: [|id] (DF)
>08:41:47.578860 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
>isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF)
>08:41:57.572463 greenbay.lunenburg.org.isakmp > xxx.xxx.xxx.xxx.isakmp:
>isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF)
>
>If anyone can point out the last little bit I need, I'd appreciate it!
>
>--Wade
>
>--
>Do your part in the fight against injustice.
>Free Dmitry Sklyarov! http://www.freesklyarov.org/
>Fight the DMCA! http://www.anti-dmca.org/
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
Scott Nolde
GPG Key 0xD869AB48
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011129093152.P95091-100000>