This is a follow up email to some mailings from me from a couple months ago now about using the Cisco VPN client with IPFilter.
First I had it working with an older version of IPFilter on S9, then I upgraded to S10 and it broke. (kernel panic as soon as the tunnel was built) Well, I've finally had a chance to get back to it, and I seem to have it working again, but there have been a few problems. First of all, thanks to: Hans Werner Strube for responding to my question on how to get 4.1.9 to compile on Solaris 10. His response worked great! Jeff Earickson for the IPF on Solaris 10 how-to. The instructions worked great. I do have one suggestion for an addition, though. When saving copies of the original distribution, you might want to add: cp /etc/ipf/ipf.conf /etc/ipf/ipf.conf.orig. As after I removed the ipf package, it removed my ipf.conf file. ARGH! Shame on Sun for putting out a package that removes a config file when the package is removed! Someone asked for my configuration so they could add it to the FAQ, so here it is: ipnat.conf: # Next line ensures that the source port stays at port 500 when natted. # The VPN gateway I'm connecting to didn't like the source port getting # translated map extint from rfc1918/24 port=500 to vpnip/32 -> publicip/32 # Build the IPSEC proxy map extint rfc1918/24 -> publicip/32 proxy port 500 ipsec/udp # Standard NAT mappings below map extint rfc1918/16 -> publicip/32 portmap tcp/udp 40000:60000 map extint rfc1918/16 -> publicip/32 ipf.conf # Add rule to allow in ipsec from VPN server Pass in quick on <interface> proto 50 from <vpnip>/32 to any Now, I have had a few weird problems that I can't explain. * I have had one kernel panic so far. It happened after about 5 minutes of connectivity. After coming back up, it's been working for about 45 minutes. I didn't have dumps configured so I don't have anything to analyze, I have turned them on now though. * After the system came back up, NAT seemed to be screwed up to the VPN host. It wasn't natting to the VPN host and it was attempting to send un-natted traffic to the VPN host. Reloading the ipnat.conf seemed to fix it. I haven't rebooted again so I'm not sure if this problem will come again after the next boot. I'm guessing that with this configuration of having to force no port translation to the VPN host that only 1 VPN connection at a time will work per public IP. >From the little bit of research I could do, it looks like NAT-T is the future of NATting with IPSEC. Are there any plans in the works to add that to IPFilter? Hope this information helps someone. I'll report back if I get anymore kernel panics.
