Re: how to configure a FreeBSD firewall to pass IPSec?

From: Chris Kesler (chris_at_pconline.com)
Date: 05/01/03

  • Next message: V.M.Smith: "Re: how to configure a FreeBSD firewall to pass IPSec?"
    Date: Wed, 30 Apr 2003 17:34:32 -0500 (CDT)
    To: freebsd-security@freebsd.org
    
    

    Guy Middleton wrote:
    >
    > I have a FreeBSD box acting as a firewall and NAT gateway
    >
    > I would like to set it up to transparently pass IPSec packets -- I have
    > an IPSec VPN client running on another machine, connecting to a remote network.
    >
    > Is there a way to do this? I can't find any hints in the man pages.
    >
    > ------------------------------

    Guy,

    I do this on my FreeBSD firewall, using IPF and IPNAT. I have Nortel's
    Extranet Access Client on a PC. I use it to connect to a Nortel Contivity
    VPN switch at work. I figured that, if any off-the-shelf broadband router
    can do it, then I should be able to do it. It took some time and patience
    and a lot of packet captures, but I got it.

    There are two types of traffic that you must allow to pass through.
    ISAKMP, which is UDP port 500. And ESP, which is IP protocol 50. I'm not
    sure if the following is true for all IPSec implementations, but in my
    case, the VPN switch at the office would drop the ISAKMP packet unless it
    was both sourced and destined for UDP 500.

    After I added these two rules to my /etc/ipnat.rules file, I have been able to
    connect to my work via VPN.
    ###################################
    # For VPN key exchange, must be UDP 500 for both source and destination
    ###################################
    map xl0 from 192.168.1.0/24 port = isakmp to any port = isakmp -> 0/32

    ###################################
    # Catchall for non-TCP and non-UDP, i.e. ICMP, and ESP for VPN
    ###################################
    map xl0 192.168.1.0/24 -> 0/32

    Of course, you'll have to allow both these types of traffic into your private
    LAN. In my case, I did not require additional rules in my ipf.rules file,
    because I already allow all Internet bound traffic from my private LAN to go
    out. And the return traffic is allowed in, thanks to the "keep state" feature
    if IPFilter.

    Good luck!

    -Chris

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: V.M.Smith: "Re: how to configure a FreeBSD firewall to pass IPSec?"