Re: how to configure a FreeBSD firewall to pass IPSec?

From: V.M.Smith (vmsmith_at_grokking.org)
Date: 05/01/03

  • Next message: Guy Middleton: "Re: how to configure a FreeBSD firewall to pass IPSec?" 
    To: freebsd-security@freebsd.org
Date: 01 May 2003 07:29:04 -0400

    Hi,

    Looks like you just want client-side "pass-through" functionality. If
    this is correct, try using ipf/ipnat and write a map proxy rule in
    /etc/ipnat.rules.

    I use this, assuming ipf/ipnat on a dual-homed gateway:

    [NOTE: this should appear BEFORE other map entries.]

    map <wan_interface> <internal_lan_address_range> -> 0/32 proxy port 500
    ipsec/udp

    Then make sure your /etc/ipf.rules have appropriate entries to support
    it. I use these:

    pass in quick on <lan_interface> proto 50 from any to any keep state

    pass in quick on <lan_interface> proto udp from any port = 500 to any
    keep state

    Try using tcpdump on the gateway to determine any additional needs
    specific to your implementation and topology. Set aside some time and be
    prepared to tinker...

    Hope that helps,

    VS

      

    On Wed, 2003-04-30 at 15:00, freebsd-security-request@freebsd.org wrote:
    > Send freebsd-security mailing list submissions to
    > freebsd-security@freebsd.org
    >
    > To subscribe or unsubscribe via the World Wide Web, visit
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > or, via email, send a message with subject or body 'help' to
    > freebsd-security-request@freebsd.org
    >
    > You can reach the person managing the list at
    > freebsd-security-owner@freebsd.org
    >
    > When replying, please edit your Subject line so it is more specific
    > than "Re: Contents of freebsd-security digest..."
    >
    >
    > Today's Topics:
    >
    > 1. how to configure a FreeBSD firewall to pass IPSec? (Guy Middleton)
    > 2. Re: how to configure a FreeBSD firewall to pass IPSec?
    > (David G. Andersen)
    > 3. Re: how to configure a FreeBSD firewall to pass IPSec?
    > (Lowell Gilbert)
    >
    >
    > ----------------------------------------------------------------------
    >
    > Message: 1
    > Date: Wed, 30 Apr 2003 09:45:37 -0400
    > From: Guy Middleton <guy@obstruction.com>
    > Subject: how to configure a FreeBSD firewall to pass IPSec?
    > To: freebsd-security@freebsd.org
    > Message-ID: <20030430094537.A20710@chaos.obstruction.com>
    > Content-Type: text/plain; charset=us-ascii
    >
    > I have a FreeBSD box acting as a firewall and NAT gateway
    >
    > I would like to set it up to transparently pass IPSec packets -- I have
    > an IPSec VPN client running on another machine, connecting to a remote network.
    >
    > Is there a way to do this? I can't find any hints in the man pages.
    >
    > ------------------------------
    >
    > Message: 2
    > Date: Wed, 30 Apr 2003 07:55:27 -0600
    > From: "David G. Andersen" <danderse@cs.utah.edu>
    > Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
    > To: Guy Middleton <guy@obstruction.com>
    > Cc: freebsd-security@freebsd.org
    > Message-ID: <20030430075527.A54362@cs.utah.edu>
    > Content-Type: text/plain; charset=us-ascii
    >
    > Guy Middleton just mooed:
    > > I have a FreeBSD box acting as a firewall and NAT gateway
    > >
    > > I would like to set it up to transparently pass IPSec packets -- I have
    > > an IPSec VPN client running on another machine, connecting to a remote network.
    > >
    > > Is there a way to do this? I can't find any hints in the man pages.
    >
    > It's probably using either ipip, esp, or ipencap. tcpdump the
    > traffic, and then permit whichever protocol it's using.
    >
    > permit esp from foo to bar
    >
    > -Dave

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Guy Middleton: "Re: how to configure a FreeBSD firewall to pass IPSec?"