I have a FreeBSD box acting as a firewall and NAT gateway I would like to set it up to transparently pass IPSec packets -- I have an IPSec VPN client running on another machine, connecting to a remote network. Is there a way to do this? I can't find any hints in the man pages.
David G. Andersen
2003-Apr-30 07:09 UTC
how to configure a FreeBSD firewall to pass IPSec?
Guy Middleton just mooed:> I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages.It's probably using either ipip, esp, or ipencap. tcpdump the traffic, and then permit whichever protocol it's using. permit esp from foo to bar -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Guy Middleton <guy@obstruction.com> writes:> I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages.It's impossible. IPSEC can't be passed through a NAT. The best you could do would be to terminate the tunnel on the gateway itself.
Guy Middleton wrote:> > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------Guy, I do this on my FreeBSD firewall, using IPF and IPNAT. I have Nortel's Extranet Access Client on a PC. I use it to connect to a Nortel Contivity VPN switch at work. I figured that, if any off-the-shelf broadband router can do it, then I should be able to do it. It took some time and patience and a lot of packet captures, but I got it. There are two types of traffic that you must allow to pass through. ISAKMP, which is UDP port 500. And ESP, which is IP protocol 50. I'm not sure if the following is true for all IPSec implementations, but in my case, the VPN switch at the office would drop the ISAKMP packet unless it was both sourced and destined for UDP 500. After I added these two rules to my /etc/ipnat.rules file, I have been able to connect to my work via VPN. ################################### # For VPN key exchange, must be UDP 500 for both source and destination ################################### map xl0 from 192.168.1.0/24 port = isakmp to any port = isakmp -> 0/32 ################################### # Catchall for non-TCP and non-UDP, i.e. ICMP, and ESP for VPN ################################### map xl0 192.168.1.0/24 -> 0/32 Of course, you'll have to allow both these types of traffic into your private LAN. In my case, I did not require additional rules in my ipf.rules file, because I already allow all Internet bound traffic from my private LAN to go out. And the return traffic is allowed in, thanks to the "keep state" feature if IPFilter. Good luck! -Chris
Hi, Looks like you just want client-side "pass-through" functionality. If this is correct, try using ipf/ipnat and write a map proxy rule in /etc/ipnat.rules. I use this, assuming ipf/ipnat on a dual-homed gateway: [NOTE: this should appear BEFORE other map entries.] map <wan_interface> <internal_lan_address_range> -> 0/32 proxy port 500 ipsec/udp Then make sure your /etc/ipf.rules have appropriate entries to support it. I use these: pass in quick on <lan_interface> proto 50 from any to any keep state pass in quick on <lan_interface> proto udp from any port = 500 to any keep state Try using tcpdump on the gateway to determine any additional needs specific to your implementation and topology. Set aside some time and be prepared to tinker... Hope that helps, VS On Wed, 2003-04-30 at 15:00, freebsd-security-request@freebsd.org wrote:> Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. how to configure a FreeBSD firewall to pass IPSec? (Guy Middleton) > 2. Re: how to configure a FreeBSD firewall to pass IPSec? > (David G. Andersen) > 3. Re: how to configure a FreeBSD firewall to pass IPSec? > (Lowell Gilbert) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 30 Apr 2003 09:45:37 -0400 > From: Guy Middleton <guy@obstruction.com> > Subject: how to configure a FreeBSD firewall to pass IPSec? > To: freebsd-security@freebsd.org > Message-ID: <20030430094537.A20710@chaos.obstruction.com> > Content-Type: text/plain; charset=us-ascii > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ > > Message: 2 > Date: Wed, 30 Apr 2003 07:55:27 -0600 > From: "David G. Andersen" <danderse@cs.utah.edu> > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > To: Guy Middleton <guy@obstruction.com> > Cc: freebsd-security@freebsd.org > Message-ID: <20030430075527.A54362@cs.utah.edu> > Content-Type: text/plain; charset=us-ascii > > Guy Middleton just mooed: > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's probably using either ipip, esp, or ipencap. tcpdump the > traffic, and then permit whichever protocol it's using. > > permit esp from foo to bar > > -Dave
Guy: FWIW, I tried ipfw/natd a few weeks ago but couldn't seem to get it to keep state properly through NAT. Eventually I gave up and turned to ipf/ipnat and have been happy with it ever since. I thought I read somewhere that ipfw/natd is the more "native" of the two systems and been a part of FreeBSD for a longer time but someone more experienced with the OS than myself can probably shed more light on this. Also, I think ipfw has better application for traffic shaping, if that's a feature you want/need. Some claim you can successfully mix the two simultaneously but I'm not familiar (or brave) enough to try :) VS ------------------------------ Message: 9 Date: Thu, 1 May 2003 10:46:22 -0400 From: Guy Middleton <guy@obstruction.com> Subject: Re: how to configure a FreeBSD firewall to pass IPSec? To: freebsd-security@freebsd.org Message-ID: <20030501104614.A29056@chaos.obstruction.com> Content-Type: text/plain; charset=us-ascii Thanks to everybody for the suggestions, I'll try them this weekend. The discussion brings up a question: Until now (and as recommended in the Handbook), I have been using ifpw and natd. Everybody here who has IPSec client passthrough working seems to use ifw/ipnat. Is ipf/ipnat more flexible? And why is there more than one firewalling scheme in FreeBSD? ------------------------------ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" End of freebsd-security Digest, Vol 6, Issue 3 **********************************************
danny@dannysplace.net writes:> Ummm.. I do it... I would have to check my config, but I think it's AH esp.Okay, so how does this work? When NAT munges the TCP header, how do you manage to confirm the ESP header?