>From: "Crist J. Clark" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>
>[snip]
>
> > >> # 192.168.1.0 is my Unnatted/internal network.
> > >> #
> > >> pass in proto esp from vpn.XXX.net/32 to 192.168.1.0/24
> > >> pass out proto esp from 192.168.1.0/24 to vpn.XXX.net/32
> > >
> > >Find out if you are using ESP or 10000/udp.
> >
> > I am seeing alot of isakmp traffic getting blocked. I _believe_
> > that it is ESP.
>
>You seem to be very confused. ISAKMP rides over 500/udp. UDP is an IP
>protocol (protocol 17 to be exact). ESP, Encapsulated Security
>Payload, is a completely separate IP protocol (protocol 50).
Thank you. What I am seeing is the following from tcpdump, but what
puzzles me is the fact that I sometimes see VPN.XXX.NET.IP, and some
times I see VPN.XXX.NET-ROUTER.IP, which are not even the same subnet.
See belows output sample.
21:05:38.838016 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp: isakmp v1.0
exchange INFO encrypted
cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: fe44266a len: 84
21:05:38.855278 VPN.XXX.NET.IP.isakmp > 204.177.198.17.isakmp: isakmp v1.0
exchange INFO encrypted
cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: e58d1012 len: 84
21:05:49.853889 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp: isakmp v1.0
exchange INFO encrypted
cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: afa02b26 len: 76
21:05:49.854443 204.177.198.17.10346 > VPN.XXX.NET.IP.10000: udp 1
21:05:49.871418 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host
VPN.XXX.NET-ROUTER.IP unreachable - admin prohibited filter
21:05:59.866318 204.177.198.17.10346 > VPN.XXX.NET.IP.10000: udp 1
21:05:59.879087 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host
VPN.XXX.NET.IP unreachable - admin prohibited filter
21:06:09.879955 204.177.198.17.isakmp > VPN.XXX.NET.IP.isakmp: isakmp v1.0
exchange INFO encrypted
cookie: 77ebe015bdc5ecce->2b4ea8a31d8bf87f msgid: 44044a0f len: 76
21:06:09.880703 204.177.198.17.10346 > VPN.XXX.NET.IP.10000: udp 1
21:06:09.896695 VPN.XXX.NET-ROUTER.IP > 204.177.198.17: icmp: host
VPN.XXX.NET.IP unreachable - admin prohibited filter
>
>Also, since you only seem to want to have the VPN go to one client,
>you can substitute the client address, 192.168.1.101/32, in here
>rather than the whole internal network, 192.168.1.0/24.
>
>[snip]
>
> > Here is my latest ipf.rules file as well as my latest ipnat.rules
> > file. I _AM_ now getting connected to the Cisco VPN concentrator
> > and I get logged in, but I am unable to ping any internal hosts
> > or connect to them, of course :-) I will of course post my final
> > .conf files to the list in order to help the next poor soul who
> > has to set this up.
> >
> > Thank you again.
> >
> > Vad
> > ---
> > #
> > # sis0 is outside interface on Internet (204.177.198.17/32)
> > # sis1 is inside interface on Intranet (192.168.1.254/32)
> > #
> > # VPN software client is 192.168.1.101
> > #
> > # VPN Concentrator is on Internet and is IP VPN.XXX.NET.IP/32
> > #
> > pass out quick on lo0
> > pass in quick on lo0
> > #
> > block in log quick on sis0 from 192.168.0.0/16 to any
> > block in log quick on sis0 from 172.16.0.0/12 to any
> > block in log quick on sis0 from 10.0.0.0/8 to any
> > block in log quick on sis0 from 127.0.0.0/8 to any
> > block in log quick on sis0 from 0.0.0.0/8 to any
> > block in log quick on sis0 from 169.254.0.0/16 to any
> > block in log quick on sis0 from 192.0.2.0/24 to any
> > block in log quick on sis0 from 204.152.64.0/23 to any
>
>Got something against Sun?
>
> > block in log quick on sis0 from 224.0.0.0/3 to any
> > block in log quick on sis0 from 20.20.20.0/24 to any
>
>And CSC?
Just following the HOWTO's.
> > #
> > block in quick on sis0 proto tcp from any to any flags FUP
> > block in quick on sis0 proto tcp from any to any flags SF/SFRA
> > block in quick on sis0 proto tcp from any to any flags /SFRA
> > #
> > pass out quick on sis0 proto tcp from any to any flags S keep state
> > pass out quick on sis0 proto udp from any to any keep state
> > pass out quick on sis0 proto icmp from any to any keep state
> > pass out quick on sis0 proto esp from any to any keep state
> > #
> > pass in quick on sis1 proto tcp from any to 192.168.1.254 port = 22
>flags
> > S/SA
> > pass out quick on sis1 proto tcp from 192.168.1.254 port = 22 to any
>flags
> > S/SA
>
>A TCP SYN with a _source_ port of 22?
ssh?
> > pass out quick on sis1 proto icmp all icmp-type 0
> > pass out quick on sis1 proto icmp all icmp-type 3
> > pass out quick on sis1 proto icmp all icmp-type 11
> > #
> > pass out quick on sis1 proto udp from 192.168.1.254 port = 53 to any
> > pass out quick on sis1 proto udp from 192.168.1.0 port = 53 to any
>
>Huh?
Allows my internal machines to resolve against an external DNS server, no?
> > pass in quick on sis0 proto tcp from any to any port = 25 flags S/SA
>keep
> > state
> > pass in quick on sis0 proto tcp from any to any port = 29204 flags S/SA
>keep state
> > pass in quick on sis0 proto tcp from any to any port = 22 flags S/SA
>keep state
> > block in log quick on sis0 proto tcp all flags S/SA
> > block out log quick on sis0 proto tcp all flags S/SA
> > block out on sis1 proto tcp all flags S/SA
> > block out on sis1 proto udp all
> > block out on sis1 proto icmp all
>
>You still seem to be missing some rules on sis1. I don't see how any
>of this works. I don't see how you can ever get a connection from your
>internal network out to the Internet.
But I tell you it does :-)
> > IPNAT
> >
> > map sis0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> > map sis0 192.168.1.0/24 -> 0/32 proxy port isakmp ipsec/udp
> > map sis0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:30000
> > map sis0 192.168.1.0/24 -> 0/32
> > #
> > # This is a test
> > #
> > # rdr sis0 0/32 port 0 -> 192.168.1.101 port 0 esp
> > #
> > # rdr sis0 204.177.198.17/32 port 500 -> 192.168.1.101 port 500 udp
> > # rdr sis0 204.177.198.17/32 port 10000 -> 192.168.1.101 port 10000 udp
I've recently placed the commented ones back in to test, no help.
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
