OpenBSD + IPNAT + VPN - HELP!....
Ian Cartwright
plug-discuss@lists.PLUG.phoenix.az.us
Mon, 30 Jul 2001 11:16:13 -0700
I am running IPfilter on FreeBSD with my Nortel Client on a PC behind it.
There is a patch available on the internet here:
http://www.cs.ndsu.nodak.edu/~davlarso/ipf/. It works great for me, and it
appears to work with version of IPfilter later than 3.4.14 (as specified on
the page)
Hope this helps!
Ian
> -----Original Message-----
> From: owner-ipfilter@coombs.anu.edu.au
> [mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Furmanek, Greg
> Sent: Monday, July 30, 2001 8:56 AM
> To: 'Jurgen Kobierczynski'; Furmanek, Greg; PLUG (E-mail); IP Filter
> Mail List (E-mail); 'misc@openbsd.org'
> Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
>
>
> How can I configure "simple redirection"?
>
>
> How can I configure the virtual interface "enc0"?
> (I just hope you are not suggesting connecting
> OpenBSD to Nortel tunel. The network guys will not
> configure the Nortel to allow anything else but
> but Nortel client - "kind of proprietary authentication"
> to log in.)
>
> I was considering converting my firewall to Linux/IPtables
> but first I want to see if there is a way of configuring
> the ipf. BTW I kind of like the ease of configuring
> ipf. (I have not tried iptables, but ipchains was kind
> of confusing).
>
> > -----Original Message-----
> > From: Jurgen Kobierczynski [mailto:JKobierczynski@sdlintl.com]
> > Sent: Monday, July 30, 2001 8:40 AM
> > To: 'Furmanek, Greg'; PLUG (E-mail); IP Filter Mail List (E-mail);
> > 'misc@openbsd.org'
> > Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> >
> >
> > There is no NAT support for the ESP packets as far as I know
> > it. IPSec was
> > not designed for use within a NAT/Masquerading, but I know that Linux
> > IPTables has a VPN-Masquerading feature, check the
> > VPN-Masuerading for Linux
> > for more details on these issues with VPN Masquerading. There
> > is the problem
> > that the SPI assignment to hosts is encypted, so the firewall can only
> > assign these connections a best as possible by "capturing"
> > the creating of
> > each connection. Also key renewal change SPI numbers, so it won't work
> > perfectly.
> >
> > ,but this isn't possible in IPF (jet?), as I know, but a
> > simple redirection
> > of the ESP packets to one particular host should be possible.
> > (Not tried
> > jet, btw)
> >
> > Also, I know from my latest setup that there was a virtual
> > interface "enc0"
> > defined, and that I had to define rules for it.
> >
> > Jurgen
> >
> > -----Original Message-----
> > From: Furmanek, Greg [mailto:Greg.Furmanek@hit.cendant.com]
> > Sent: maandag 30 juli 2001 16:46
> > To: PLUG (E-mail); IP Filter Mail List (E-mail); 'misc@openbsd.org'
> > Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> >
> >
> > Can anyone Help with this one.
> >
> > I have looked online for somre info but
> > it seams that everything I have tried did not
> > work.
> >
> > Why "esp" is not forwarded?
> >
> > Any suggestions would be appreciated.
> >
> > Greg
> >
> >
> > > -----Original Message-----
> > > From: Greg [mailto:codewolf@earthlink.net]
> > > Sent: Saturday, July 28, 2001 4:55 PM
> > > To: misc@openbsd.org
> > > Subject: Fw: OpenBSD + IPNAT + VPN - HELP!....
> > >
> > >
> > > Hi everyone....
> > >
> > > I am trying to setup VPN connection from Windows (Nortel
> > > Client) through
> > > OpenBSD (NAT/IPF) to Nortel.
> > >
> > > It seems that I get the ISAKMP to negotiate just fine but
> > > when it comes to the tunnel it is a differnt story:
> > >
> > > This is my setup:
> > >
> > > | WIN Client |-----------|Open BSD |-----------| Nortel |
> > >
> > >
> > > xl0 - external
> > > xl1 - internal
> > > x.x.x.x - Nortel
> > > y.y.y.y - ip on xl0
> > > z.z.z.z - ip on host with the client
> > > k.k.k.k - ip on xl1 - gateway
> > > ipf.rules
> > > =========
> > > # for esp protocol - I have not specify the protocol since
> > > I allow all
> > > from this specific host
> > > pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32
> > > pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32
> > > pass in quick on xl1 from any to x.x.x.x/32
> > > pass out quick on xl1 from x.x.x.x/32 to any
> > >
> > > #--------------------- UDP ISAKMP KEY
> > > OTIATION ----------------------
> > > pass in quick on xl1 proto udp from z.z.z.z port = 500 to
> > > x.x.x.x/32 port =
> > > 500 keep state
> > >
> > > ipnat.rules
> > > ===========
> > > bimap xl0 y.y.y.y/32 -> x.x.x.x/32
> > >
> > > External Interface TCPDUMP
> > > 07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> > > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> > > 07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> > > 07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> > > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> > > 07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> > > 07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> > > 07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> > > 07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > exchange unknown
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> > > 07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > exchange unknown
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> > > 07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > exchange QUICK_MODE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> > > 07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > exchange QUICK_MODE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> > > 07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > exchange QUICK_MODE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> > >
> > >
> > > INTERNAL INTERFACE TCPDUMP
> > > 07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316
> > > 07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> > > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> > > 07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> > > 07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> > > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> > > 07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> > > 07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> > > 07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > exchange AGGRESSIVE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> > > 07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > exchange unknown
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> > > 07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > exchange unknown
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> > > 07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > exchange QUICK_MODE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> > > 07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > exchange QUICK_MODE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> > > 07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > exchange QUICK_MODE
> > > encrypted
> > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> > >
> > > 07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84
> > > 07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > 07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60
> > > 07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > 07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116
> > > 07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > 07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124
> > > 07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116
> > > 07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > 07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > >
> >
> >
> > "The sender believes that this E-mail and any attachments
> > were free of any
> > virus, worm, Trojan horse, and/or malicious code when sent.
> > This message
> > and its attachments could have been infected during transmission. By
> > reading the message and opening any attachments, the
> > recipient accepts full
> > responsibility for taking protective and remedial action
> > about viruses and
> > other defects. The sender's employer is not liable for any
> > loss or damage
> > arising in any way from this message or its attachments."
> >
>
>
> "The sender believes that this E-mail and any attachments were free of any
> virus, worm, Trojan horse, and/or malicious code when sent. This message
> and its attachments could have been infected during transmission. By
> reading the message and opening any attachments, the recipient
> accepts full
> responsibility for taking protective and remedial action about viruses and
> other defects. The sender's employer is not liable for any loss or damage
> arising in any way from this message or its attachments."