OpenBSD + IPNAT + VPN - HELP!....
Greg
plug-discuss@lists.PLUG.phoenix.az.us
Wed, 1 Aug 2001 20:16:39 -0700
I do not think this patch will work for me.
I have looked at the structure of ipf in freeBSD and
OpenBSD and it looks like they have changed qutie a bit.
Greg
----- Original Message -----
From: Ian Cartwright <ian351c@home.com>
To: Furmanek, Greg <Greg.Furmanek@hit.cendant.com>; 'Jurgen Kobierczynski'
<JKobierczynski@sdlintl.com>; PLUG (E-mail)
<plug-discuss@lists.plug.phoenix.az.us>; IP Filter Mail List (E-mail)
<ipfilter@coombs.anu.edu.au>; <misc@openbsd.org>
Sent: Monday, July 30, 2001 11:16 AM
Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> I am running IPfilter on FreeBSD with my Nortel Client on a PC behind it.
> There is a patch available on the internet here:
> http://www.cs.ndsu.nodak.edu/~davlarso/ipf/. It works great for me, and it
> appears to work with version of IPfilter later than 3.4.14 (as specified
on
> the page)
>
> Hope this helps!
>
> Ian
>
> > -----Original Message-----
> > From: owner-ipfilter@coombs.anu.edu.au
> > [mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Furmanek, Greg
> > Sent: Monday, July 30, 2001 8:56 AM
> > To: 'Jurgen Kobierczynski'; Furmanek, Greg; PLUG (E-mail); IP Filter
> > Mail List (E-mail); 'misc@openbsd.org'
> > Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> >
> >
> > How can I configure "simple redirection"?
> >
> >
> > How can I configure the virtual interface "enc0"?
> > (I just hope you are not suggesting connecting
> > OpenBSD to Nortel tunel. The network guys will not
> > configure the Nortel to allow anything else but
> > but Nortel client - "kind of proprietary authentication"
> > to log in.)
> >
> > I was considering converting my firewall to Linux/IPtables
> > but first I want to see if there is a way of configuring
> > the ipf. BTW I kind of like the ease of configuring
> > ipf. (I have not tried iptables, but ipchains was kind
> > of confusing).
> >
> > > -----Original Message-----
> > > From: Jurgen Kobierczynski [mailto:JKobierczynski@sdlintl.com]
> > > Sent: Monday, July 30, 2001 8:40 AM
> > > To: 'Furmanek, Greg'; PLUG (E-mail); IP Filter Mail List (E-mail);
> > > 'misc@openbsd.org'
> > > Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> > >
> > >
> > > There is no NAT support for the ESP packets as far as I know
> > > it. IPSec was
> > > not designed for use within a NAT/Masquerading, but I know that Linux
> > > IPTables has a VPN-Masquerading feature, check the
> > > VPN-Masuerading for Linux
> > > for more details on these issues with VPN Masquerading. There
> > > is the problem
> > > that the SPI assignment to hosts is encypted, so the firewall can only
> > > assign these connections a best as possible by "capturing"
> > > the creating of
> > > each connection. Also key renewal change SPI numbers, so it won't work
> > > perfectly.
> > >
> > > ,but this isn't possible in IPF (jet?), as I know, but a
> > > simple redirection
> > > of the ESP packets to one particular host should be possible.
> > > (Not tried
> > > jet, btw)
> > >
> > > Also, I know from my latest setup that there was a virtual
> > > interface "enc0"
> > > defined, and that I had to define rules for it.
> > >
> > > Jurgen
> > >
> > > -----Original Message-----
> > > From: Furmanek, Greg [mailto:Greg.Furmanek@hit.cendant.com]
> > > Sent: maandag 30 juli 2001 16:46
> > > To: PLUG (E-mail); IP Filter Mail List (E-mail); 'misc@openbsd.org'
> > > Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> > >
> > >
> > > Can anyone Help with this one.
> > >
> > > I have looked online for somre info but
> > > it seams that everything I have tried did not
> > > work.
> > >
> > > Why "esp" is not forwarded?
> > >
> > > Any suggestions would be appreciated.
> > >
> > > Greg
> > >
> > >
> > > > -----Original Message-----
> > > > From: Greg [mailto:codewolf@earthlink.net]
> > > > Sent: Saturday, July 28, 2001 4:55 PM
> > > > To: misc@openbsd.org
> > > > Subject: Fw: OpenBSD + IPNAT + VPN - HELP!....
> > > >
> > > >
> > > > Hi everyone....
> > > >
> > > > I am trying to setup VPN connection from Windows (Nortel
> > > > Client) through
> > > > OpenBSD (NAT/IPF) to Nortel.
> > > >
> > > > It seems that I get the ISAKMP to negotiate just fine but
> > > > when it comes to the tunnel it is a differnt story:
> > > >
> > > > This is my setup:
> > > >
> > > > | WIN Client |-----------|Open BSD |-----------| Nortel |
> > > >
> > > >
> > > > xl0 - external
> > > > xl1 - internal
> > > > x.x.x.x - Nortel
> > > > y.y.y.y - ip on xl0
> > > > z.z.z.z - ip on host with the client
> > > > k.k.k.k - ip on xl1 - gateway
> > > > ipf.rules
> > > > =========
> > > > # for esp protocol - I have not specify the protocol since
> > > > I allow all
> > > > from this specific host
> > > > pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32
> > > > pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32
> > > > pass in quick on xl1 from any to x.x.x.x/32
> > > > pass out quick on xl1 from x.x.x.x/32 to any
> > > >
> > > > #--------------------- UDP ISAKMP KEY
> > > > OTIATION ----------------------
> > > > pass in quick on xl1 proto udp from z.z.z.z port = 500 to
> > > > x.x.x.x/32 port =
> > > > 500 keep state
> > > >
> > > > ipnat.rules
> > > > ===========
> > > > bimap xl0 y.y.y.y/32 -> x.x.x.x/32
> > > >
> > > > External Interface TCPDUMP
> > > > 07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> > > > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> > > > 07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> > > > 07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> > > > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> > > > 07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> > > > 07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> > > > 07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> > > > 07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > > exchange unknown
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> > > > 07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange unknown
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> > > > 07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > > exchange QUICK_MODE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> > > > 07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange QUICK_MODE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> > > > 07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0
> > > > exchange QUICK_MODE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> > > >
> > > >
> > > > INTERNAL INTERFACE TCPDUMP
> > > > 07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316
> > > > 07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> > > > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> > > > 07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> > > > 07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> > > > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> > > > 07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> > > > 07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> > > > 07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange AGGRESSIVE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> > > > 07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > > exchange unknown
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> > > > 07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange unknown
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> > > > 07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > > exchange QUICK_MODE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> > > > 07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0
> > > > exchange QUICK_MODE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> > > > 07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0
> > > > exchange QUICK_MODE
> > > > encrypted
> > > > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> > > >
> > > > 07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84
> > > > 07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > > 07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60
> > > > 07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > > 07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116
> > > > 07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > > 07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124
> > > > 07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116
> > > > 07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > > 07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > > >
> > >
> > >
> > > "The sender believes that this E-mail and any attachments
> > > were free of any
> > > virus, worm, Trojan horse, and/or malicious code when sent.
> > > This message
> > > and its attachments could have been infected during transmission. By
> > > reading the message and opening any attachments, the
> > > recipient accepts full
> > > responsibility for taking protective and remedial action
> > > about viruses and
> > > other defects. The sender's employer is not liable for any
> > > loss or damage
> > > arising in any way from this message or its attachments."
> > >
> >
> >
> > "The sender believes that this E-mail and any attachments were free of
any
> > virus, worm, Trojan horse, and/or malicious code when sent. This
message
> > and its attachments could have been infected during transmission. By
> > reading the message and opening any attachments, the recipient
> > accepts full
> > responsibility for taking protective and remedial action about viruses
and
> > other defects. The sender's employer is not liable for any loss or
damage
> > arising in any way from this message or its attachments."
>