OpenBSD + IPNAT + VPN - HELP!....
Greg
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 28 Jul 2001 14:33:18 -0700
Hi everyone....
I am trying to setup VPN connection from Windows (Nortel Client) through
OpenBSD (NAT/IPF) to Nortel.
It seems that I get the ISAKMP to negotiate just fine but
when it comes to the tunnel it is a differnt story:
This is my setup:
| WIN Client |-----------|Open BSD |-----------| Nortel |
xl0 - external
xl1 - internal
x.x.x.x - Nortel
y.y.y.y - ip on xl0
z.z.z.z - ip on host with the client
k.k.k.k - ip on xl1 - gateway
ipf.rules
=========
# for esp protocol - I have not specify the protocol since I allow all
from this specific host
pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32
pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32
pass in quick on xl1 from any to x.x.x.x/32
pass out quick on xl1 from x.x.x.x/32 to any
#--------------------- UDP ISAKMP KEY
OTIATION ----------------------
pass in quick on xl1 proto udp from z.z.z.z port = 500 to x.x.x.x/32 port =
500 keep state
ipnat.rules
===========
bimap xl0 y.y.y.y/32 -> x.x.x.x/32
External Interface TCPDUMP
07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange unknown
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 exchange unknown
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange QUICK_MODE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 exchange QUICK_MODE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange QUICK_MODE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
INTERNAL INTERFACE TCPDUMP
07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316
07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange AGGRESSIVE
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 exchange AGGRESSIVE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange unknown
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 exchange unknown
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange QUICK_MODE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 exchange QUICK_MODE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange QUICK_MODE
encrypted
cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84
07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60
07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116
07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124
07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116
07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable