Em Fri, 19 Sep 2025 05:56:20 +0000, Lloyd <[email protected]> escreveu:
| I suspect they have mislead you and the VPN is really using IPSec.
|
| The easiest way to find out is add a block log all rule at the top.
| Review the log with tcpdump and see what is being dropped.
|
| I assume this is a typo:
|
| > block drop in quick inet from 177.7.7..7 to any
|
| Regards
| Lloyd
Hi Lloyd,
If you mean the double dot, yes, it's a typo.
If you mean the rule, well, maybe it's too late already, but don't
understand it now...
Did as suggested, here's some output of the log moments after I tried
to start the vpn.
192.168.1.12 -> internal ip of the corporate laptop
17.7.7.7 -> redacted external IP of OpenBSD router.
There are some UDP port 500 connection tries, like:
Sep 19 23:11:26.369581 rule 13/(match) block out on re0: 17.7.7.7 >
74.113.97.82: icmp: 17.7.7.7 udp port 500 unreachable
The full log, as I'm unsure what more to look for.
Sep 19 23:11:01.421666 rule 13/(match) block out on re0: 192.168.1.12.58435 >
87.58.94.47.80: S 1274168567:1274168567(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:03.417335 rule 13/(match) block out on re0: 192.168.1.12.58438 >
87.58.94.47.443: S 762171081:762171081(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:04.429513 rule 13/(match) block out on re0: 192.168.1.12.58438 >
87.58.94.47.443: S 762171081:762171081(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:04.871373 rule 13/(match) block out on re0: 192.168.1.12.58439 >
209.40.120.230.443: S 2977498682:2977498682(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:05.871335 rule 13/(match) block out on re0: 192.168.1.12.58439 >
209.40.120.230.443: S 2977498682:2977498682(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:06.436626 rule 13/(match) block out on re0: 192.168.1.12.58438 >
87.58.94.47.443: S 762171081:762171081(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:07.874855 rule 13/(match) block out on re0: 192.168.1.12.58439 >
209.40.120.230.443: S 2977498682:2977498682(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:09.527287 rule 13/(match) block out on re0: 17.7.7.7.9283 >
207.90.244.15.26200: R 0:0(0) ack 398355222 win 0 (DF)
Sep 19 23:11:10.089836 rule 13/(match) block out on re0: 192.168.1.12.58440 >
209.40.120.230.443: S 3344990548:3344990548(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:11.090330 rule 13/(match) block out on re0: 192.168.1.12.58440 >
209.40.120.230.443: S 3344990548:3344990548(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:13.100224 rule 13/(match) block out on re0: 192.168.1.12.58440 >
209.40.120.230.443: S 3344990548:3344990548(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:15.092584 rule 13/(match) block out on re0: 192.168.1.12.58442 >
87.58.94.47.443: S 113204082:113204082(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:15.203784 rule 13/(match) block out on re0: 192.168.1.12.58443 >
87.58.94.47.80: S 2498859321:2498859321(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:15.314849 rule 13/(match) block out on re0: 192.168.1.12.58444 >
87.58.94.47.8080: S 1881612648:1881612648(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:16.106249 rule 13/(match) block out on re0: 192.168.1.12.58442 >
87.58.94.47.443: S 113204082:113204082(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:16.207182 rule 13/(match) block out on re0: 192.168.1.12.58443 >
87.58.94.47.80: S 2498859321:2498859321(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:16.318743 rule 13/(match) block out on re0: 192.168.1.12.58444 >
87.58.94.47.8080: S 1881612648:1881612648(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:17.104652 rule 13/(match) block out on re0: 192.168.1.12.58440 >
209.40.120.230.443: S 3344990548:3344990548(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:18.109769 rule 13/(match) block out on re0: 192.168.1.12.58442 >
87.58.94.47.443: S 113204082:113204082(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:18.221419 rule 13/(match) block out on re0: 192.168.1.12.58443 >
87.58.94.47.80: S 2498859321:2498859321(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:18.323919 rule 13/(match) block out on re0: 192.168.1.12.58444 >
87.58.94.47.8080: S 1881612648:1881612648(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:18.454722 rule 13/(match) block out on re0: 192.168.1.12.58447 >
87.58.94.47.80: S 1191420229:1191420229(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:19.459313 rule 13/(match) block out on re0: 192.168.1.12.58447 >
87.58.94.47.80: S 1191420229:1191420229(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:21.133015 rule 13/(match) block out on re0: 17.7.7.7.110 >
77.110.113.84.48947: R 0:0(0) ack 3477221667 win 0 (DF)
Sep 19 23:11:21.463963 rule 13/(match) block out on re0: 192.168.1.12.58447 >
87.58.94.47.80: S 1191420229:1191420229(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:23.485669 rule 13/(match) block out on re0: 192.168.1.12.58449 >
87.58.94.47.443: S 980000003:980000003(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:24.498820 rule 13/(match) block out on re0: 192.168.1.12.58449 >
87.58.94.47.443: S 980000003:980000003(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:24.544807 rule 13/(match) block out on re0: 17.7.7.7.9250 >
147.185.133.155.50439: R 0:0(0) ack 3612006274 win 0 (DF)
Sep 19 23:11:25.115828 rule 13/(match) block out on re0: 192.168.1.12.58440 >
209.40.120.230.443: S 3344990548:3344990548(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:25.794422 rule 13/(match) block out on re0: 17.7.7.7.15443 >
178.22.24.64.51769: R 0:0(0) ack 1491744126 win 0 (DF)
Sep 19 23:11:26.369581 rule 13/(match) block out on re0: 17.7.7.7 >
74.113.97.82: icmp: 17.7.7.7 udp port 500 unreachable
Sep 19 23:11:26.499460 rule 13/(match) block out on re0: 192.168.1.12.58449 >
87.58.94.47.443: S 980000003:980000003(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:29.233265 rule 13/(match) block out on re0: 17.7.7.7.4369 >
115.231.78.11.8916: R 0:0(0) ack 3421493241 win 0 (DF)
Sep 19 23:11:29.854906 rule 13/(match) block out on re0: 192.168.1.12.49410 >
4.207.247.139.443: S 2978721415:2978721415(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:30.286818 rule 13/(match) block out on re0: 192.168.1.12.58451 >
209.40.120.230.443: S 1864557060:1864557060(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:31.115650 rule 13/(match) block out on re0: 192.168.1.12.49410 >
4.207.247.139.443: S 2978721415:2978721415(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:31.297293 rule 13/(match) block out on re0: 192.168.1.12.58451 >
209.40.120.230.443: S 1864557060:1864557060(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:33.301732 rule 13/(match) block out on re0: 192.168.1.12.58451 >
209.40.120.230.443: S 1864557060:1864557060(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:33.616344 rule 13/(match) block out on re0: 192.168.1.12.49410 >
4.207.247.139.443: S 2978721415:2978721415(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:35.111949 rule 13/(match) block out on re0: 17.7.7.7.44485 >
79.124.62.134.56640: R 0:0(0) ack 628483767 win 0 (DF)
Sep 19 23:11:37.306006 rule 13/(match) block out on re0: 192.168.1.12.58451 >
209.40.120.230.443: S 1864557060:1864557060(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:38.512976 rule 13/(match) block out on re0: 192.168.1.12.58455 >
87.58.94.47.80: S 3581200576:3581200576(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:39.504689 rule 13/(match) block out on re0: 192.168.1.12.58455 >
87.58.94.47.80: S 3581200576:3581200576(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:40.821118 rule 13/(match) block out on re0: 17.7.7.7.2404 >
193.163.125.136.43104: R 0:0(0) ack 3164082250 win 0 (DF)
Sep 19 23:11:41.516003 rule 13/(match) block out on re0: 192.168.1.12.58455 >
87.58.94.47.80: S 3581200576:3581200576(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:42.688822 rule 13/(match) block out on re0: 17.7.7.7.500 >
115.231.78.11.22323: R 0:0(0) ack 3822565385 win 0 (DF)
Sep 19 23:11:43.040068 rule 13/(match) block out on re0: 17.7.7.7.20170 >
45.142.193.51.55933: R 0:0(0) ack 3921693959 win 0 (DF)
Sep 19 23:11:43.526408 rule 13/(match) block out on re0: 192.168.1.12.58458 >
87.58.94.47.443: S 1955036700:1955036700(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:44.539340 rule 13/(match) block out on re0: 192.168.1.12.58458 >
87.58.94.47.443: S 1955036700:1955036700(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:45.306262 rule 13/(match) block out on re0: 192.168.1.12.58451 >
209.40.120.230.443: S 1864557060:1864557060(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:45.781200 rule 13/(match) block out on re0: 17.7.7.7.12646 >
79.124.62.126.59602: R 0:0(0) ack 818879394 win 0 (DF)
Sep 19 23:11:46.539984 rule 13/(match) block out on re0: 192.168.1.12.58458 >
87.58.94.47.443: S 1955036700:1955036700(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:50.251415 rule 13/(match) block out on re0: 17.7.7.7.23 >
183.107.20.84.31053: R 0:0(0) ack 2957989229 win 0 (DF)
Sep 19 23:11:50.492720 rule 13/(match) block out on re0: 192.168.1.12.58459 >
209.40.120.230.443: S 3522183348:3522183348(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:51.507511 rule 13/(match) block out on re0: 192.168.1.12.58459 >
209.40.120.230.443: S 3522183348:3522183348(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:53.507538 rule 13/(match) block out on re0: 192.168.1.12.58459 >
209.40.120.230.443: S 3522183348:3522183348(0) win 65535 <mss 1440,nop,wscale
8,nop,nop,sackOK>
Sep 19 23:11:57.474931 rule 13/(match) block out on re0:
192.168.1.12.58460 > 87.58.94.47.443:
So, what is wrong or missing? A pass out rule for UDP as is for TCP?
I've already tried three new rules:
pass in on $ext_if inet proto udp from any port { 500, 4500 } #StrongSwan
pass in on $ext_if inet proto esp from any to any #Allow ESP
pass in on $ext_if inet proto ah from any to any #Allow AH
but no success, eyt.
Thank you,
Luís Mendes
|
| Luis Mendes wrote:
|
| > Hi,
| >
| > I've a corporate laptop that uses Forticlient to establish a VPN
| > connection to corporate resources.
| >
| > When working at home, when this corporate laptop is connected
through the ISP | > router, there's no problem connecting to the VPN
server. | >
| > Now, I'm setting up my own OpenBSD 7.7 amd64 router/firewall.
| >
| > Using simple NAT rules, other systems can connect fine to the
Internet, also the corporate | > laptop can connect fine for
everything except the VPN resources. | > When I try to connect the
VPN, Forticlient 2.7.8.1140 returns: | > "a network error prevented
updates from being downloaded". | >
| > I asked in the community Fortinet forum about this and was told by
a power user that: | >
(https://community.fortinet.com/t5/Support-Forum/How-to-configure-home-router-firewall-to-allow-Forticlient/m-p/411072)
| > | > """
| > No special rule needed, except need to open the outgoing
connection to the remote SSL VPN server IP:port (usually TCP 443 or
10443). | > | > NAT is fully supported.
| > """
| >
| >
| > Here's my router/firewall configuration:
| >
| > # uname -a
| > OpenBSD futro2.Home 7.7 GENERIC.MP#625 amd64
| >
| > # sysctl -a | grep forwarding
| > net.inet.ip.forwarding=1
| > net.inet.ip.mforwarding=0
| > net.inet6.ip6.forwarding=0
| > net.inet6.ip6.mforwarding=0
| >
| > # dhcpd -f
| > Multiple interfaces match the same subnet: em0 ure0
| > Multiple interfaces match the same shared network: em0 ure0
| > Listening on ure0 (192.168.1.253).
| > Can't listen on re0 - dhcpd.conf has no subnet declaration for
17.7.7.7. | > Can't listen on em1 - it has no IP address.
| > Listening on em0 (192.168.1.252).
| > DHCPREQUEST for 192.168.1.7 from cc:....... via ure0
| > DHCPACK on 192.168.1.7 to cc:....... via ure0
| > DHCPREQUEST for 192.168.1.12 from 38:........... via ure0
| > DHCPACK on 192.168.1.12 to 38:.......... via ure0
| > DHCPINFORM from 192.168.1.12
| > DHCPACK to 192.168.1.12 (38:...........) via ure0
| >
| > DHCPINFORM from 192.168.1.12
| > DHCPACK to 192.168.1.12 (38:............) via ure0
| >
| > The corporate laptop receives 192.168.1.12 IP.
| >
| >
| > # pfctl -s rules
| > match in all scrub (no-df random-id max-mss 1440)
| > match out on egress inet from ! (egress:network) to any nat-to
(egress:0) round-robin | > block drop in quick on egress from
<martians> to any | >
| > block return out quick on egress from any to <martians>
| >
| > pass out all flags S/SA
| > pass quick on ure0 all flags S/SA
| > block drop in quick on ! egress inet from 17.7.7.0/24 to any
| > block drop in quick inet from 177.7.7..7 to any
| > block drop in quick on ! re0 inet from 17.7.7.0/24 to any
| > pass inet proto icmp all
| > anchor "ftp-proxy/" all
| > pass in quick inet proto tcp from any to any port = 21 flags S/SA
divert-to 127.0.0.1 port 8021 | > anchor "relayd/" all
| > pass out on re0 inet from 192.168.1.0 to any flags S/SA nat-to
(re0) round-robin | > pass in log on egress proto tcp from any to
(egress) port = 22 flags S/SA | > pass in on ure0 proto tcp from any
to any port = 80 flags S/SA | > pass in on ure0 proto tcp from any to
any port = 443 flags S/SA | > pass in log on ure0 inet proto tcp from
192.168.1.0 to any port = 5901 flags S/SA | > pass in quick on ure0
inet proto tcp from 192.168.1.0 to any port = 22104 flags S/SA | >
pass in quick on ure0 inet proto udp from any port = 67 to any port =
68 | > pass in quick on ure0 proto tcp from any to any port = 853
flags S/SA | > pass in quick on ure0 proto udp from any to any port =
53 | > pass in quick on re0 proto tcp from any to any port = 853 flags
S/SA | > pass in quick on re0 proto udp from any to any port = 53 | >
block return in on ! lo0 proto tcp from any to any port 6000:6010 | >
| >
| > It seems that 'pfctl -s nat' is no longer available.
| >
| >
| > Can you please tell me what am I missing or doing wrong?
| >
| > Thanks,
| >
| >
| > Luís Mendes
|
