[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN fails when firewall rules are enabled



Hi
I can get VPN to work just fine if my /etc/pf.conf file is defined
simply as pass in all, pass out all, and start isakmpd.

Once I start adding in rules, VPN eventually dies.  I'm having a
hard time determining which rules are killing it cuz isakmpd appears
to set a timer where it works for a while even tho it shouldn't be.

Here's what I do...please tell me if I'm debugging correctly.

  1) Change rule in pf.conf
  2) pfctl -f /etc/pf.conf
  3) start isakmpd
  4) test VPN connection (fails)
  5) kill isakmpd
  6) go back to 1) and continue loop

Is there something else I should be flushing?  Is there a reason why
isakmpd kicks itself off from time to time?  This appears to be happening.
Is it necessary to use

  pfctl -F all
  ipsecadm flush

after every test? Should I be flushing anything else?

What follows is my current pf.conf, isakmpd.policy, isakmpd.conf files
for review.  The IP addresses have been changed to protect the innocent.

192.168.1.0 (home)()19.19.19.19 --|-- 200.100.20.10 (gw) -- 10.0.0.0 (office)
B A


For this example, let's assume that "home" has a static ip address.  In
reality, "home"  comes in dynamically, so if you have any advice on this,
that would be great.  The address does change, but very rarely.

thanx
ted



/etc/pf.conf
------------
ExtIF="fxp0"             # External Interface
IntIF="fxp1"             # Internal Interface
IntNet="10.10.0.0/24"       # Our internal network
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
gatewA = "200.100.20.10/32"
gatewB = "19.19.19.19/32"
netA = "10.0.0.0/24"
netB = "192.168.1.0/24"
AllowIPs="{ 64.64.64.64/32, 19.19.19.19/32 }"
Services="{ www, https, ssh, telnet, ftp }"

scrub in all

nat on $ExtIF from $IntNet to any -> 200.100.20.10
rdr on $ExtIF proto tcp from any to any port 23 -> 10.0.0.5 port 23
rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021

block in  quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
block in on $ExtIF all

# allow others to use http and https
pass  in on $ExtIF inet proto tcp from $AllowIPs to any port $Services \
        flags S/SA keep state
pass in on $ExtIF proto tcp from any to $ExtIF user proxy keep state

block out on $ExtIF                 all
pass  out on $ExtIF inet proto tcp  all            keep state
pass  out on $ExtIF inet proto udp  all            keep state
pass  out on $ExtIF inet proto icmp all            keep state

# VPN settings per "man vpn"
# VPN isakmpd features
pass in proto esp from $gatewB to $gatewA
pass out proto esp from $gatewA to $gatewB
pass in on enc0 from $netB to $netA
pass out on enc0 from $netA to $netB
pass out on $ExtIF proto udp from $gatewA port = 500 to $gatewB port = 500
pass in proto udp from $gatewB to $gatewA port=500
pass out proto udp from $gatewA to $gatewB port=500




/etc/isakmpd.conf listing ----------------- [General] Policy-File= /etc/isakmpd/isakmpd.policy Retransmits= 5 Exchange-max-time= 120 Listen-on= 200.100.20.10

[Phase 1]
Default=                east
[Phase 2]
Connections=            west-east

[east]
Phase=                  1
Transport=              udp
Local_address=          200.100.20.10
Configuration=          Default-main-mode
Authentication=         ilikemcgyver

[west-east]
Phase=                  2
ISAKMP-peer=            east
Configuration=          Default-quick-mode
Local-ID=               Net-west
Remote-ID=              Net-east

[Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.0.0
Netmask=                255.255.255.0

[Net-east]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.1.0
Netmask=                255.255.255.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-MD5,3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-MD5-SUITE


isakmpd.policy file ------------------- KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:ilikemcgyver" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true";

--
ted jordan, principal
JordanTeam Computing LLC
On-Demand Computing for Independent Business Professionals

ted@jordanteam.com
734 673 7426 p
216 767 1393 p
419 791 9678 f
http://jordanteam.com