I suspect they have mislead you and the VPN is really using IPSec. The easiest way to find out is add a block log all rule at the top. Review the log with tcpdump and see what is being dropped.
I assume this is a typo: > block drop in quick inet from 177.7.7..7 to any Regards Lloyd Luis Mendes wrote: > Hi, > > I've a corporate laptop that uses Forticlient to establish a VPN > connection to corporate resources. > > When working at home, when this corporate laptop is connected through the ISP > router, there's no problem connecting to the VPN server. > > Now, I'm setting up my own OpenBSD 7.7 amd64 router/firewall. > > Using simple NAT rules, other systems can connect fine to the Internet, also > the corporate > laptop can connect fine for everything except the VPN resources. > When I try to connect the VPN, Forticlient 2.7.8.1140 returns: > "a network error prevented updates from being downloaded". > > I asked in the community Fortinet forum about this and was told by a power > user that: > (https://community.fortinet.com/t5/Support-Forum/How-to-configure-home-router-firewall-to-allow-Forticlient/m-p/411072) > > """ > No special rule needed, except need to open the outgoing connection to the > remote SSL VPN server IP:port (usually TCP 443 or 10443). > > NAT is fully supported. > """ > > > Here's my router/firewall configuration: > > # uname -a > OpenBSD futro2.Home 7.7 GENERIC.MP#625 amd64 > > # sysctl -a | grep forwarding > net.inet.ip.forwarding=1 > net.inet.ip.mforwarding=0 > net.inet6.ip6.forwarding=0 > net.inet6.ip6.mforwarding=0 > > # dhcpd -f > Multiple interfaces match the same subnet: em0 ure0 > Multiple interfaces match the same shared network: em0 ure0 > Listening on ure0 (192.168.1.253). > Can't listen on re0 - dhcpd.conf has no subnet declaration for 17.7.7.7. > Can't listen on em1 - it has no IP address. > Listening on em0 (192.168.1.252). > DHCPREQUEST for 192.168.1.7 from cc:....... via ure0 > DHCPACK on 192.168.1.7 to cc:....... via ure0 > DHCPREQUEST for 192.168.1.12 from 38:........... via ure0 > DHCPACK on 192.168.1.12 to 38:.......... via ure0 > DHCPINFORM from 192.168.1.12 > DHCPACK to 192.168.1.12 (38:...........) via ure0 > > DHCPINFORM from 192.168.1.12 > DHCPACK to 192.168.1.12 (38:............) via ure0 > > The corporate laptop receives 192.168.1.12 IP. > > > # pfctl -s rules > match in all scrub (no-df random-id max-mss 1440) > match out on egress inet from ! (egress:network) to any nat-to (egress:0) > round-robin > block drop in quick on egress from <martians> to any > > block return out quick on egress from any to <martians> > > pass out all flags S/SA > pass quick on ure0 all flags S/SA > block drop in quick on ! egress inet from 17.7.7.0/24 to any > block drop in quick inet from 177.7.7..7 to any > block drop in quick on ! re0 inet from 17.7.7.0/24 to any > pass inet proto icmp all > anchor "ftp-proxy/" all > pass in quick inet proto tcp from any to any port = 21 flags S/SA divert-to > 127.0.0.1 port 8021 > anchor "relayd/" all > pass out on re0 inet from 192.168.1.0 to any flags S/SA nat-to (re0) > round-robin > pass in log on egress proto tcp from any to (egress) port = 22 flags S/SA > pass in on ure0 proto tcp from any to any port = 80 flags S/SA > pass in on ure0 proto tcp from any to any port = 443 flags S/SA > pass in log on ure0 inet proto tcp from 192.168.1.0 to any port = 5901 flags > S/SA > pass in quick on ure0 inet proto tcp from 192.168.1.0 to any port = 22104 > flags S/SA > pass in quick on ure0 inet proto udp from any port = 67 to any port = 68 > pass in quick on ure0 proto tcp from any to any port = 853 flags S/SA > pass in quick on ure0 proto udp from any to any port = 53 > pass in quick on re0 proto tcp from any to any port = 853 flags S/SA > pass in quick on re0 proto udp from any to any port = 53 > block return in on ! lo0 proto tcp from any to any port 6000:6010 > > > It seems that 'pfctl -s nat' is no longer available. > > > Can you please tell me what am I missing or doing wrong? > > Thanks, > > > Luís Mendes
