Re: ipfw, NAT and CISCO IPSec VPNs
- From: Nerius Landys <nlandys@xxxxxxxxx>
- Date: Mon, 10 Aug 2009 22:38:58 -0700
I've got a pretty standard network which uses a FreeBSD server to perform
NAT between my internal IPs (192.168.0.x) and the outside world. Everything
is working tickety-boo, but I'm trying to tweak my firewall rules (ipfw,
based on the 'SsIiMmPpLlEe' firewall template in rc.firewall) to allow a
CISCO IPSec-based VPN client on a local machine to connect to a remote
server (tunnel).
tcpdump shows that the client attempts to send packets to the remote VPN
server on port 500 (isakmp) as you'd expect, but it's not getting any
packets back and so the connection fails.
The following suggests that you can solve the problem by not changing the
source port of the NATed packets, but gives a sample using pf:
http://lists.freebsd.org/pipermail/freebsd-net/2005-October/008749.html
Other posts I've read say you can simply forward packets from the remote VPN
server to the machine running the VPN client, but (needless to say) I
haven't been able to get this to work:
http://groups.google.com/group/comp.unix.bsd/browse_thread/thread/85d775a73e352aa5/f62e6b0d67b2d576
Any suggestions from people who have done similar before?
I'm very surprised that you wrote this email because I stayed up most
of the night yesterday to fix a similar problem.
I was running a NAT using the OpenBSD pf firewall on my FreeBSD 7.1
router. Yeah, everything was working fine just like in your case.
One of the people at home (from within 192.168.0.x) are using Cisco
VPN Client to do some IPSec/UDP something a rather (I don't know too
much about this, frankly) and the connection kept timing out after 5
minutes. I tried just about every permutation of pf rules, form the
very simple and minimalistic to the more elaborate. Nothing worked,
still timed out after 5 minutes. I then did a sanity check and
connected a simple Linksys router device to replace my FreeBSD router
with the Linksys (direct replacement, same network configs). The
Linksys did not cause the timeout issue. So I figured the FreeBSD
router was the culprit.
I then tried to do away with OpenBSD's pf, and I tried IPFILTER (IPF)
Firewall. I created a one-liner rule in /etc/ipnat.rules:
ap fxp4 192.168.0.0/24 -> 0/32
and I didn't even enable ipfilter in /etc/rc.conf, only ipnat. This
was my minimalist test to see if perhaps pf was somehow to blame.
It turns out that with IPFILTER all works well. So, I guess I'm
sticking with IPFILTER.
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- ipfw, NAT and CISCO IPSec VPNs
- From: Jonathan Belson
- ipfw, NAT and CISCO IPSec VPNs
- Prev by Date: Re: toaster or do-it-myself?
- Next by Date: Re: please help to uninstall FreeBSD!!!
- Previous by thread: ipfw, NAT and CISCO IPSec VPNs
- Next by thread: Trying to Install Man Page
- Index(es):
Relevant Pages
|
