ipfw blocks ipsec tunnel - Please Help.

---

• From: swun2010@xxxxxxxxx
• Date: Fri, 31 Aug 2007 00:23:08 -0000

---

Hi,

I tried every effort to enable ipfw for ipsec tunnel, but I still
can't get it working.

The ipsec/vpn script I used is shown as follow:
belmore# cat /vpn.conf
#!/bin/sh
# Tunnel to CORE
LOCAL_OUTSIDE=124.xx.xx.xx
REMOTE_OUTSIDE=123.xx.xx.xx

/sbin/ifconfig lo0 alias 10.1.4.1 netmask 255.255.255.0
/sbin/ifconfig gif0 destroy
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel $LOCAL_OUTSIDE $REMOTE_OUTSIDE
sleep 1
/sbin/ifconfig gif0 inet 10.1.4.1 10.1.1.1 netmask 255.255.255.0

/usr/local/sbin/setkey -FP
/usr/local/sbin/setkey -F

/usr/local/sbin/setkey -c <<EOF

spdadd 123.xx.xx.xx 124.xx.xx.xx any -P in ipsec esp/tunnel/
123.xx.xx.xx-124.xx.xx.xx/require ;
spdadd 124.xx.xx.xx 123.xx.xx.xx any -P out ipsec esp/tunnel/
124.xx.xx.xx-123.xx.xx.xx/require ;

# incoming
add 123.xx.xx.xx 124.xx.xx.xx esp 3944 -m tunnel -E blowfish-cbc
0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE0619AA641
006F3C02230B3B -A hmac-sha1
0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;

# going out
add 124.xx.xx.xx 123.xx.xx.xx esp 2744 -m tunnel -E blowfish-cbc
0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE917CC986C
F36382DB29D11B -A hmac-sha1
0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;

The IPFW rules I am running are:
belmore# ipfw list
00001 allow udp from 123.xx.xx.xx to 124.xx.xx.xx dst-port 500
00001 allow udp from 124.xx.xx.xx to 123.xx.xx.xx dst-port 500
00002 allow ip from any to any via rl1
00003 allow ip from any to any via lo0
00004 allow ip from any to any via gif0
00100 divert 8668 ip from any to any in via tun0
00101 check-state
00125 skipto 500 tcp from any to any dst-port
22,25,37,43,53,80,443,110,119,143,500 out via tun0 setup keep-state
00130 skipto 500 icmp from any to any out via tun0 keep-state
00135 skipto 500 udp from any to any out via tun0 keep-state
00140 skipto 500 esp from any to any out keep-state
00145 skipto 500 ipencap from any to any out keep-state
00150 skipto 500 tcp from any to any dst-port 22-60000 out keep-state
00160 skipto 500 udp from any to any dst-port 22-60000 out keep-state
00170 skipto 500 udp from any to any dst-port 500
00301 deny ip from 172.16.0.0/12 to any in via tun0
00303 deny ip from 127.0.0.0/8 to any in via tun0
00304 deny ip from 0.0.0.0/8 to any in via tun0
00305 deny ip from 169.254.0.0/16 to any in via tun0
00306 deny ip from 192.0.2.0/24 to any in via tun0
00307 deny ip from 204.152.64.0/23 to any in via tun0
00308 deny ip from 224.0.0.0/3 to any in via tun0
00400 allow udp from any to any dst-port 53 in keep-state
00410 allow tcp from any to any dst-port 22 in keep-state
00411 allow udp from any to any dst-port 1024-60000 in keep-state
00412 allow tcp from any to any dst-port 1024-60000 in keep-state
00420 allow tcp from any to any dst-port 80 in via tun0 setup limit
src-addr 1
00430 allow esp from any to any in keep-state
00440 allow ipencap from any to any in keep-state
00450 allow udp from any to any dst-port 500
00460 deny log ip from any to any
00500 divert 8668 ip from any to any out via tun0
00510 allow ip from any to any
65535 allow ip from any to any
belmore#

If I remove the rules and leave only the default rule 65535, I can
ping the remote internal IP 10.1.1.1. With the firewall on, pinging
remote ip 10.1.1.1 resulted no responsed (just no message, it doesn't
returned back to the unix prompt immediately, like ping is waiting for
something). There is no log message written to the ipfw.log file
either. I don't know whether that is natd breaks it.
Here is what I got in the rc.conf:
natd_program="/sbin/natd"
natd_enable="yes"
natd_interface="tun0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possible

firewall_enable="yes"
firewall_script="/etc/ipfw.rules-4b"
firewall_logging="YES"
firewall_type="open"


Can anyone shed some light on me, please.
I am very appreciate for your help.

Thanks

.

---

• Prev by Date: Re: Where do you buy a FreeBSD compatible
• Next by Date: Re: UNIX Kernel
• Previous by thread: ipfw optimization on slow computers?
• Index(es):
  • Date
  • Thread

---

Relevant Pages ipfw intricacies? ... I have a fbsd box that runs its own firewall.. ... 00904 allow udp from any to any dst-port 520 ... 00200 deny ip from any to 127.0.0.0/8 ... 01002 allow ip from any to any in dst-port 1-1024 keep-state ... (freebsd-questions) Re: Confused with ipfw -Please help ... setup keep-state ... 00060 skipto 800 tcp from any to any dst-port ... 00080 skipto 800 icmp from any to any out via tun0 keep-state ... (comp.unix.bsd.freebsd.misc) ipfw - please help. ... Because rule rule 6000 said it will deny all from any to any, therefore if a packet does not match all "allow rules" before rule 6000, it will be blocked by rule 6000. ... setup keep-state ... 00080 skipto 800 icmp from any to any out via tun0 keep-state ... 00370 allow tcp from any to 59.167.244.137 dst-port ... (comp.unix.bsd.freebsd.misc) ipfw - ruiles order and default allow rule. ... deny all traffic by default ... 00070 skipto 800 tcp from me to any out via tun0 setup uid root keep-state ... 00315 deny tcp from any to any dst-port 113 in via tun0 ... (comp.unix.bsd.freebsd.misc) Re: ipfw - please help. ... The divert rule ... setup keep-state ... 00080 skipto 800 icmp from any to any out via tun0 keep-state ... 00370 allow tcp from any to 59.167.244.137 dst-port ... (comp.unix.bsd.freebsd.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.unix.bsd.freebsd.misc  > 2007-08