On Thu, Aug 15, 2002 at 02:50:19PM +0000, Vadim Pushkin wrote:
> >From: "Crist J. Clark" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: Vadim Pushkin <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED]
> >Subject: Re: Need Help with Cisco sw VPN behind IpFilter/OpenBSD
[snip]
> >> # 192.168.1.0 is my Unnatted/internal network.
> >> #
> >> pass in proto esp from vpn.XXX.net/32 to 192.168.1.0/24
> >> pass out proto esp from 192.168.1.0/24 to vpn.XXX.net/32
> >
> >Find out if you are using ESP or 10000/udp.
>
> I am seeing alot of isakmp traffic getting blocked. I _believe_
> that it is ESP.
You seem to be very confused. ISAKMP rides over 500/udp. UDP is an IP
protocol (protocol 17 to be exact). ESP, Encapsulated Security
Payload, is a completely separate IP protocol (protocol 50).
Also, since you only seem to want to have the VPN go to one client,
you can substitute the client address, 192.168.1.101/32, in here
rather than the whole internal network, 192.168.1.0/24.
[snip]
> Here is my latest ipf.rules file as well as my latest ipnat.rules
> file. I _AM_ now getting connected to the Cisco VPN concentrator
> and I get logged in, but I am unable to ping any internal hosts
> or connect to them, of course :-) I will of course post my final
> .conf files to the list in order to help the next poor soul who
> has to set this up.
>
> Thank you again.
>
> Vad
> ---
> #
> # sis0 is outside interface on Internet (204.177.198.17/32)
> # sis1 is inside interface on Intranet (192.168.1.254/32)
> #
> # VPN software client is 192.168.1.101
> #
> # VPN Concentrator is on Internet and is IP VPN.XXX.NET.IP/32
> #
> pass out quick on lo0
> pass in quick on lo0
> #
> block in log quick on sis0 from 192.168.0.0/16 to any
> block in log quick on sis0 from 172.16.0.0/12 to any
> block in log quick on sis0 from 10.0.0.0/8 to any
> block in log quick on sis0 from 127.0.0.0/8 to any
> block in log quick on sis0 from 0.0.0.0/8 to any
> block in log quick on sis0 from 169.254.0.0/16 to any
> block in log quick on sis0 from 192.0.2.0/24 to any
> block in log quick on sis0 from 204.152.64.0/23 to any
Got something against Sun?
> block in log quick on sis0 from 224.0.0.0/3 to any
> block in log quick on sis0 from 20.20.20.0/24 to any
And CSC?
> #
> block in quick on sis0 proto tcp from any to any flags FUP
> block in quick on sis0 proto tcp from any to any flags SF/SFRA
> block in quick on sis0 proto tcp from any to any flags /SFRA
> #
> pass out quick on sis0 proto tcp from any to any flags S keep state
> pass out quick on sis0 proto udp from any to any keep state
> pass out quick on sis0 proto icmp from any to any keep state
> pass out quick on sis0 proto esp from any to any keep state
> #
> pass in quick on sis1 proto tcp from any to 192.168.1.254 port = 22 flags
> S/SA
> pass out quick on sis1 proto tcp from 192.168.1.254 port = 22 to any flags
> S/SA
A TCP SYN with a _source_ port of 22?
> pass out quick on sis1 proto icmp all icmp-type 0
> pass out quick on sis1 proto icmp all icmp-type 3
> pass out quick on sis1 proto icmp all icmp-type 11
> #
> pass out quick on sis1 proto udp from 192.168.1.254 port = 53 to any
> pass out quick on sis1 proto udp from 192.168.1.0 port = 53 to any
Huh?
> pass in quick on sis0 proto tcp from any to any port = 25 flags S/SA keep
> state
> pass in quick on sis0 proto tcp from any to any port = 29204 flags S/SA
> keep sta
> te
> pass in quick on sis0 proto tcp from any to any port = 22 flags S/SA keep
> state
> block in log quick on sis0 proto tcp all flags S/SA
> block out log quick on sis0 proto tcp all flags S/SA
> block out on sis1 proto tcp all flags S/SA
> block out on sis1 proto udp all
> block out on sis1 proto icmp all
You still seem to be missing some rules on sis1. I don't see how any
of this works. I don't see how you can ever get a connection from your
internal network out to the Internet.
> IPNAT
>
> map sis0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map sis0 192.168.1.0/24 -> 0/32 proxy port isakmp ipsec/udp
> map sis0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:30000
> map sis0 192.168.1.0/24 -> 0/32
> #
> # This is a test
> #
> # rdr sis0 0/32 port 0 -> 192.168.1.101 port 0 esp
> #
> # rdr sis0 204.177.198.17/32 port 500 -> 192.168.1.101 port 500 udp
> # rdr sis0 204.177.198.17/32 port 10000 -> 192.168.1.101 port 10000 udp
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
