[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cisco vpn client behind 3.2-stable pf firewall difficulties



here's the relevant (i think) parts from my pf.conf:      
      
nat on $ext_if inet proto udp from any port = isakmp to any -> $ext_if port 500      
      
pass out log quick on $ext_if proto udp from any to $vpn_hosts port = isakmp
pass in log quick on $ext_if proto udp from $vpn_hosts to any port = isakmp  
pass out log quick on $ext_if proto esp from any to $vpn_hosts      
pass in log quick on $ext_if proto esp from $vpn_hosts to any      
      
here's what i see from sudo /usr/sbin/tcpdump -nettti hme0 host xxx.xxx.xxx.xxx      
      
where xxx.xxx.xxx.xxx is my remote vpn peer      
      
Mar 15 18:44:51.056430 8:0:20:22:2b:ca 0:4:9b:ea:a4:54 0800 1142:      
xxx.xxx.xxx.xxx.500 > xxx.xxx.xxx.xxx.500:  isakmp v1.0 exchange ID_PROT      
        cookie: ee356daa2bcd9b60->0000000000000000 msgid: 00000000 len: 1100
Mar 15 18:45:47.382130 8:0:20:22:2b:ca 0:4:9b:ea:a4:54 0800 1142:      
xxx.xxx.xxx.xxx.500 > xxx.xxx.xxx.xxx.500:  isakmp v1.0 exchange ID_PROT      
        cookie: 8eddabfb0f7bcb50->0000000000000000 msgid: 00000000 len: 1100
Mar 15 18:46:18.226328 8:0:20:22:2b:ca 0:4:9b:ea:a4:54 0800 1142:      
xxx.xxx.xxx.xxx.500 > xxx.xxx.xxx.xxx.500:  isakmp v1.0 exchange ID_PROT      
        cookie: b8e9adee1bfab51b->0000000000000000 msgid: 00000000 len: 1100
the client just hangs until it times out, and the logs on the client report
that inbound connections are not allowed. it seems to me that i've got the
nat part incorrect.
any thoughts on where i've gone wrong appreciated.
--john
-- 
Today is a good day to bribe a high-ranking public official.