I have a L2TP NPPPD server machine with IP $L2TP sitting behind an OpenBSD
firewall, say FIRET. 'T' for temporary because it will move. $L2TP is an
externally routable IP. $Ext, the external interface of FIRET, allows
traffic into $L2TP. A snippet of pf.conf is
----begin snippet-0
ipsecIN = "{ iskmpd, ipsec-nat-t, l2tp }"
pass in quick on $Ext inet proto udp from any to $L2TP port $ipsecIN keep state
pass in quick on $Ext inet proto esp from any to $L2TP
pass in quick on $Ext inet proto ah from any to $L2TP
----end snippet-0
It all went wonderfully. It worked. I have done it before.
Because I had a working L2TP server setup on $L2TP, I was not going to
go into its pf.conf, ipsec.conf, or anything else. But here is npppd.conf
ike passive esp transport \
proto udp from egress to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "3des" group modp1024 \
psk "MYSECRET"
Now I want to move the machine to a new site behind a new OpenBSD firewall,
say FIRE. The difference is that now, $L2TP will have an unroutable address,
say 10.200.100.200, or $L2TPI, as the IP on its external interface. It will
obviously have an external address, $L2TPX, but that will be exposed through
FIRE, the external firewall. I want to binat from L2TPX->L2TPI.
So on FIRE, where we will call the external interface, $Ext, again. I
first binat things on FIRE.
match on $Ext from $L2TPI to any binat to $L2TPX
Because BINAT'ing is done before 'pass' rules are processed, the rules must
refer to the external interface. Just to be sure, I will ensure that I can
SSH to $L2TPI, on FIRE I have a pf.conf with
pass in quick on $Ext inet proto tcp from any to $L2TPI port ssh\
flags S/SA modulate state
Yes, that works. I can SSH to $L2TPX and get all the way through FIRE and
get in through the interface $L2TPI of the NPPPD server.
OK, now I need to let the other protocols through. I think I want all
traffic, once it gets onto $Ext, to be allowed through to the internal
network on which $L2TPI sits with its IP 10.200.100.200.
----begin snippet-1
ipsecIN = "{ iskmpd, ipsec-nat-t, l2tp }"
pass in quick on $Ext inet proto udp from any to $L2TPI port $ipsecIN keep state
pass in quick on $Ext inet proto esp from any to $L2TPI
pass in quick on $Ext inet proto ah from any to $L2TPI
----end snippet-1
I can see traffic destined to 10.200.100.200 coming in through the external
interface of FIRE and going out to 10.200.100.200 and then, from within this
machine, i.e. the NPPPD Server, I see traffic coming in, admittedly on port
ipsec-nat-t, i.e. 4500. But it fails.
Any suggestions on what I have done wrong or what I need to do right.
Thanks - Damian
