[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN fails when firewall rules are enabled

I can get VPN to work just fine if my /etc/pf.conf file is defined
simply as pass in all, pass out all, and start isakmpd.

Once I start adding in rules, VPN eventually dies.  I'm having a
hard time determining which rules are killing it cuz isakmpd appears
to set a timer where it works for a while even tho it shouldn't be.

Here's what I do...please tell me if I'm debugging correctly.

  1) Change rule in pf.conf
  2) pfctl -f /etc/pf.conf
  3) start isakmpd
  4) test VPN connection (fails)
  5) kill isakmpd
  6) go back to 1) and continue loop

Is there something else I should be flushing?  Is there a reason why
isakmpd kicks itself off from time to time?  This appears to be happening.
Is it necessary to use

  pfctl -F all
  ipsecadm flush

after every test? Should I be flushing anything else?

What follows is my current pf.conf, isakmpd.policy, isakmpd.conf files
for review.  The IP addresses have been changed to protect the innocent. (home)() --|-- (gw) -- (office)

For this example, let's assume that "home" has a static ip address.  In
reality, "home"  comes in dynamically, so if you have any advice on this,
that would be great.  The address does change, but very rarely.


ExtIF="fxp0"             # External Interface
IntIF="fxp1"             # Internal Interface
IntNet=""       # Our internal network
NoRouteIPs="{,,, }"
gatewA = ""
gatewB = ""
netA = ""
netB = ""
AllowIPs="{, }"
Services="{ www, https, ssh, telnet, ftp }"

scrub in all

nat on $ExtIF from $IntNet to any ->
rdr on $ExtIF proto tcp from any to any port 23 -> port 23
rdr on $IntIF proto tcp from any to any port 21 -> port 8021

block in  quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
block in on $ExtIF all

# allow others to use http and https
pass  in on $ExtIF inet proto tcp from $AllowIPs to any port $Services \
        flags S/SA keep state
pass in on $ExtIF proto tcp from any to $ExtIF user proxy keep state

block out on $ExtIF                 all
pass  out on $ExtIF inet proto tcp  all            keep state
pass  out on $ExtIF inet proto udp  all            keep state
pass  out on $ExtIF inet proto icmp all            keep state

# VPN settings per "man vpn"
# VPN isakmpd features
pass in proto esp from $gatewB to $gatewA
pass out proto esp from $gatewA to $gatewB
pass in on enc0 from $netB to $netA
pass out on enc0 from $netA to $netB
pass out on $ExtIF proto udp from $gatewA port = 500 to $gatewB port = 500
pass in proto udp from $gatewB to $gatewA port=500
pass out proto udp from $gatewA to $gatewB port=500

/etc/isakmpd.conf listing ----------------- [General] Policy-File= /etc/isakmpd/isakmpd.policy Retransmits= 5 Exchange-max-time= 120 Listen-on=

[Phase 1]
Default=                east
[Phase 2]
Connections=            west-east

Phase=                  1
Transport=              udp
Configuration=          Default-main-mode
Authentication=         ilikemcgyver

Phase=                  2
ISAKMP-peer=            east
Configuration=          Default-quick-mode
Local-ID=               Net-west
Remote-ID=              Net-east

ID-type=                IPV4_ADDR_SUBNET

ID-type=                IPV4_ADDR_SUBNET

DOI=                    IPSEC
Transforms=             3DES-MD5,3DES-SHA

DOI=                    IPSEC
Suites=                 QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-MD5-SUITE

isakmpd.policy file ------------------- KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:ilikemcgyver" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true";

ted jordan, principal
JordanTeam Computing LLC
On-Demand Computing for Independent Business Professionals

734 673 7426 p
216 767 1393 p
419 791 9678 f