I do not think this patch will work for me. I have looked at the structure of ipf in freeBSD and OpenBSD and it looks like they have changed qutie a bit. Greg ----- Original Message ----- From: Ian Cartwright To: Furmanek, Greg ; 'Jurgen Kobierczynski' ; PLUG (E-mail) ; IP Filter Mail List (E-mail) ; Sent: Monday, July 30, 2001 11:16 AM Subject: RE: OpenBSD + IPNAT + VPN - HELP!.... > I am running IPfilter on FreeBSD with my Nortel Client on a PC behind it. > There is a patch available on the internet here: > http://www.cs.ndsu.nodak.edu/~davlarso/ipf/. It works great for me, and it > appears to work with version of IPfilter later than 3.4.14 (as specified on > the page) > > Hope this helps! > > Ian > > > -----Original Message----- > > From: owner-ipfilter@coombs.anu.edu.au > > [mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Furmanek, Greg > > Sent: Monday, July 30, 2001 8:56 AM > > To: 'Jurgen Kobierczynski'; Furmanek, Greg; PLUG (E-mail); IP Filter > > Mail List (E-mail); 'misc@openbsd.org' > > Subject: RE: OpenBSD + IPNAT + VPN - HELP!.... > > > > > > How can I configure "simple redirection"? > > > > > > How can I configure the virtual interface "enc0"? > > (I just hope you are not suggesting connecting > > OpenBSD to Nortel tunel. The network guys will not > > configure the Nortel to allow anything else but > > but Nortel client - "kind of proprietary authentication" > > to log in.) > > > > I was considering converting my firewall to Linux/IPtables > > but first I want to see if there is a way of configuring > > the ipf. BTW I kind of like the ease of configuring > > ipf. (I have not tried iptables, but ipchains was kind > > of confusing). > > > > > -----Original Message----- > > > From: Jurgen Kobierczynski [mailto:JKobierczynski@sdlintl.com] > > > Sent: Monday, July 30, 2001 8:40 AM > > > To: 'Furmanek, Greg'; PLUG (E-mail); IP Filter Mail List (E-mail); > > > 'misc@openbsd.org' > > > Subject: RE: OpenBSD + IPNAT + VPN - HELP!.... > > > > > > > > > There is no NAT support for the ESP packets as far as I know > > > it. IPSec was > > > not designed for use within a NAT/Masquerading, but I know that Linux > > > IPTables has a VPN-Masquerading feature, check the > > > VPN-Masuerading for Linux > > > for more details on these issues with VPN Masquerading. There > > > is the problem > > > that the SPI assignment to hosts is encypted, so the firewall can only > > > assign these connections a best as possible by "capturing" > > > the creating of > > > each connection. Also key renewal change SPI numbers, so it won't work > > > perfectly. > > > > > > ,but this isn't possible in IPF (jet?), as I know, but a > > > simple redirection > > > of the ESP packets to one particular host should be possible. > > > (Not tried > > > jet, btw) > > > > > > Also, I know from my latest setup that there was a virtual > > > interface "enc0" > > > defined, and that I had to define rules for it. > > > > > > Jurgen > > > > > > -----Original Message----- > > > From: Furmanek, Greg [mailto:Greg.Furmanek@hit.cendant.com] > > > Sent: maandag 30 juli 2001 16:46 > > > To: PLUG (E-mail); IP Filter Mail List (E-mail); 'misc@openbsd.org' > > > Subject: RE: OpenBSD + IPNAT + VPN - HELP!.... > > > > > > > > > Can anyone Help with this one. > > > > > > I have looked online for somre info but > > > it seams that everything I have tried did not > > > work. > > > > > > Why "esp" is not forwarded? > > > > > > Any suggestions would be appreciated. > > > > > > Greg > > > > > > > > > > -----Original Message----- > > > > From: Greg [mailto:codewolf@earthlink.net] > > > > Sent: Saturday, July 28, 2001 4:55 PM > > > > To: misc@openbsd.org > > > > Subject: Fw: OpenBSD + IPNAT + VPN - HELP!.... > > > > > > > > > > > > Hi everyone.... > > > > > > > > I am trying to setup VPN connection from Windows (Nortel > > > > Client) through > > > > OpenBSD (NAT/IPF) to Nortel. > > > > > > > > It seems that I get the ISAKMP to negotiate just fine but > > > > when it comes to the tunnel it is a differnt story: > > > > > > > > This is my setup: > > > > > > > > | WIN Client |-----------|Open BSD |-----------| Nortel | > > > > > > > > > > > > xl0 - external > > > > xl1 - internal > > > > x.x.x.x - Nortel > > > > y.y.y.y - ip on xl0 > > > > z.z.z.z - ip on host with the client > > > > k.k.k.k - ip on xl1 - gateway > > > > ipf.rules > > > > ========= > > > > # for esp protocol - I have not specify the protocol since > > > > I allow all > > > > from this specific host > > > > pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32 > > > > pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32 > > > > pass in quick on xl1 from any to x.x.x.x/32 > > > > pass out quick on xl1 from x.x.x.x/32 to any > > > > > > > > #--------------------- UDP ISAKMP KEY > > > > OTIATION ---------------------- > > > > pass in quick on xl1 proto udp from z.z.z.z port = 500 to > > > > x.x.x.x/32 port = > > > > 500 keep state > > > > > > > > ipnat.rules > > > > =========== > > > > bimap xl0 y.y.y.y/32 -> x.x.x.x/32 > > > > > > > > External Interface TCPDUMP > > > > 07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO > > > > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40 > > > > 07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324 > > > > 07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO > > > > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40 > > > > 07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284 > > > > 07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232 > > > > 07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52 > > > > 07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 > > > > exchange unknown > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124 > > > > 07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange unknown > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76 > > > > 07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 > > > > exchange QUICK_MODE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580 > > > > 07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange QUICK_MODE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292 > > > > 07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 > > > > exchange QUICK_MODE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52 > > > > > > > > > > > > INTERNAL INTERFACE TCPDUMP > > > > 07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316 > > > > 07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO > > > > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40 > > > > 07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324 > > > > 07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO > > > > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40 > > > > 07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284 > > > > 07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232 > > > > 07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange AGGRESSIVE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52 > > > > 07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 > > > > exchange unknown > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124 > > > > 07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange unknown > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76 > > > > 07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 > > > > exchange QUICK_MODE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580 > > > > 07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 > > > > exchange QUICK_MODE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292 > > > > 07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 > > > > exchange QUICK_MODE > > > > encrypted > > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52 > > > > > > > > 07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84 > > > > 07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable > > > > 07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60 > > > > 07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable > > > > 07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116 > > > > 07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable > > > > 07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124 > > > > 07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116 > > > > 07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable > > > > 07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable > > > > > > > > > > > > > "The sender believes that this E-mail and any attachments > > > were free of any > > > virus, worm, Trojan horse, and/or malicious code when sent. > > > This message > > > and its attachments could have been infected during transmission. By > > > reading the message and opening any attachments, the > > > recipient accepts full > > > responsibility for taking protective and remedial action > > > about viruses and > > > other defects. The sender's employer is not liable for any > > > loss or damage > > > arising in any way from this message or its attachments." > > > > > > > > > "The sender believes that this E-mail and any attachments were free of any > > virus, worm, Trojan horse, and/or malicious code when sent. This message > > and its attachments could have been infected during transmission. By > > reading the message and opening any attachments, the recipient > > accepts full > > responsibility for taking protective and remedial action about viruses and > > other defects. The sender's employer is not liable for any loss or damage > > arising in any way from this message or its attachments." >