Re: how to configure a FreeBSD firewall to pass IPSec?

From: Chris Kesler (chris_at_pconline.com)
Date: 05/01/03

  • Next message: V.M.Smith: "Re: how to configure a FreeBSD firewall to pass IPSec?"
    Date: Wed, 30 Apr 2003 17:34:32 -0500 (CDT)
    To: freebsd-security@freebsd.org
    
    

    Guy Middleton wrote:
    >
    > I have a FreeBSD box acting as a firewall and NAT gateway
    >
    > I would like to set it up to transparently pass IPSec packets -- I have
    > an IPSec VPN client running on another machine, connecting to a remote network.
    >
    > Is there a way to do this? I can't find any hints in the man pages.
    >
    > ------------------------------

    Guy,

    I do this on my FreeBSD firewall, using IPF and IPNAT. I have Nortel's
    Extranet Access Client on a PC. I use it to connect to a Nortel Contivity
    VPN switch at work. I figured that, if any off-the-shelf broadband router
    can do it, then I should be able to do it. It took some time and patience
    and a lot of packet captures, but I got it.

    There are two types of traffic that you must allow to pass through.
    ISAKMP, which is UDP port 500. And ESP, which is IP protocol 50. I'm not
    sure if the following is true for all IPSec implementations, but in my
    case, the VPN switch at the office would drop the ISAKMP packet unless it
    was both sourced and destined for UDP 500.

    After I added these two rules to my /etc/ipnat.rules file, I have been able to
    connect to my work via VPN.
    ###################################
    # For VPN key exchange, must be UDP 500 for both source and destination
    ###################################
    map xl0 from 192.168.1.0/24 port = isakmp to any port = isakmp -> 0/32

    ###################################
    # Catchall for non-TCP and non-UDP, i.e. ICMP, and ESP for VPN
    ###################################
    map xl0 192.168.1.0/24 -> 0/32

    Of course, you'll have to allow both these types of traffic into your private
    LAN. In my case, I did not require additional rules in my ipf.rules file,
    because I already allow all Internet bound traffic from my private LAN to go
    out. And the return traffic is allowed in, thanks to the "keep state" feature
    if IPFilter.

    Good luck!

    -Chris

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: V.M.Smith: "Re: how to configure a FreeBSD firewall to pass IPSec?"

    Relevant Pages

    • RE: Sandboxing
      ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
      (Focus-IDS)
    • Re: VPN Firewall for new webserver
      ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
      (comp.security.firewalls)
    • Re: Firewall Info/Recommendations?
      ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
      ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
      (Firewall-Wizards)
    • Re: two winxp home machines, varied results
      ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ...
      (microsoft.public.windowsxp.network_web)