I just want to add the I get the same weirdness as mentioned below in
regards of:
--- snip ---
* After the system came back up, NAT seemed to be screwed up to the VPN
host. It wasn't natting to the VPN host and it was attempting to send
un-natted traffic to the VPN host. Reloading the ipnat.conf seemed to
fix it. I haven't rebooted again so I'm not sure if this problem will
come again after the next boot.
--- snip ---
except that I cannot get rid of this state unless I reboot my Solaris 10
machine (running on x86 architecture)
I have tried down/unplumb/plumb/up on the interfaces
I have run ipnat -C and ipnat -F and then ipnat -f to reload NAT rules
I have tried svcadm restart ipfilter
NO success! Only reboot works. Any clues anyone??
Rgds,
Peter
Blaster wrote:
This is a follow up email to some mailings from me from a couple months ago
now about using the Cisco VPN client with IPFilter.
First I had it working with an older version of IPFilter on S9, then I
upgraded to S10 and it broke. (kernel panic as soon as the tunnel was built)
Well, I've finally had a chance to get back to it, and I seem to have it
working again, but there have been a few problems.
First of all, thanks to:
Hans Werner Strube for responding to my question on how to get 4.1.9 to
compile on Solaris 10. His response worked great!
Jeff Earickson for the IPF on Solaris 10 how-to. The instructions worked
great. I do have one suggestion for an addition, though. When saving
copies of the original distribution, you might want to add:
cp /etc/ipf/ipf.conf /etc/ipf/ipf.conf.orig. As after I removed the ipf
package, it removed my ipf.conf file. ARGH! Shame on Sun for putting out a
package that removes a config file when the package is removed!
Someone asked for my configuration so they could add it to the FAQ, so here
it is:
ipnat.conf:
# Next line ensures that the source port stays at port 500 when natted.
# The VPN gateway I'm connecting to didn't like the source port getting
# translated
map extint from rfc1918/24 port=500 to vpnip/32 -> publicip/32
# Build the IPSEC proxy
map extint rfc1918/24 -> publicip/32 proxy port 500 ipsec/udp
# Standard NAT mappings below
map extint rfc1918/16 -> publicip/32 portmap tcp/udp 40000:60000
map extint rfc1918/16 -> publicip/32
ipf.conf
# Add rule to allow in ipsec from VPN server
Pass in quick on <interface> proto 50 from <vpnip>/32 to any
Now, I have had a few weird problems that I can't explain.
* I have had one kernel panic so far. It happened after about 5 minutes of
connectivity. After coming back up, it's been working for about 45 minutes.
I didn't have dumps configured so I don't have anything to analyze, I have
turned them on now though.
* After the system came back up, NAT seemed to be screwed up to the VPN
host. It wasn't natting to the VPN host and it was attempting to send
un-natted traffic to the VPN host. Reloading the ipnat.conf seemed to fix
it. I haven't rebooted again so I'm not sure if this problem will come
again after the next boot.
I'm guessing that with this configuration of having to force no port
translation to the VPN host that only 1 VPN connection at a time will work
per public IP.
From the little bit of research I could do, it looks like NAT-T is the
future of NATting with IPSEC. Are there any plans in the works to add that
to IPFilter?
Hope this information helps someone. I'll report back if I get anymore
kernel panics.
