[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN fails when firewall rules are enabled



quick answer, add the step of doing a tcpdump (step 3.5 id say)
that should tell you what is blocking your attempts
sorry, have to run now...
scott
On Mon, 7 Apr 2003, ted jordan, jordanteam wrote:
> Hi
> I can get VPN to work just fine if my /etc/pf.conf file is defined
> simply as pass in all, pass out all, and start isakmpd.
>
> Once I start adding in rules, VPN eventually dies.  I'm having a
> hard time determining which rules are killing it cuz isakmpd appears
> to set a timer where it works for a while even tho it shouldn't be.
>
> Here's what I do...please tell me if I'm debugging correctly.
>
>    1) Change rule in pf.conf
>    2) pfctl -f /etc/pf.conf
>    3) start isakmpd
>    4) test VPN connection (fails)
>    5) kill isakmpd
>    6) go back to 1) and continue loop
>
> Is there something else I should be flushing?  Is there a reason why
> isakmpd kicks itself off from time to time?  This appears to be happening.
> Is it necessary to use
>
>    pfctl -F all
>    ipsecadm flush
>
> after every test?  Should I be flushing anything else?
>
> What follows is my current pf.conf, isakmpd.policy, isakmpd.conf files
> for review.  The IP addresses have been changed to protect the innocent.
>
>    192.168.1.0 (home)()19.19.19.19 --|-- 200.100.20.10 (gw) -- 10.0.0.0
> (office)
>                B                                          A
>
> For this example, let's assume that "home" has a static ip address.  In
> reality, "home"  comes in dynamically, so if you have any advice on this,
> that would be great.  The address does change, but very rarely.
>
> thanx
> ted
>
>
>
> /etc/pf.conf
> ------------
> ExtIF="fxp0"             # External Interface
> IntIF="fxp1"             # Internal Interface
> IntNet="10.10.0.0/24"       # Our internal network
> NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> gatewA = "200.100.20.10/32"
> gatewB = "19.19.19.19/32"
> netA = "10.0.0.0/24"
> netB = "192.168.1.0/24"
> AllowIPs="{ 64.64.64.64/32, 19.19.19.19/32 }"
> Services="{ www, https, ssh, telnet, ftp }"
>
> scrub in all
>
> nat on $ExtIF from $IntNet to any -> 200.100.20.10
> rdr on $ExtIF proto tcp from any to any port 23 -> 10.0.0.5 port 23
> rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>
> block in  quick on $ExtIF from $NoRouteIPs to any
> block out quick on $ExtIF from any to $NoRouteIPs
> block in on $ExtIF all
>
> # allow others to use http and https
> pass  in on $ExtIF inet proto tcp from $AllowIPs to any port $Services \
>          flags S/SA keep state
> pass in on $ExtIF proto tcp from any to $ExtIF user proxy keep state
>
> block out on $ExtIF                 all
> pass  out on $ExtIF inet proto tcp  all            keep state
> pass  out on $ExtIF inet proto udp  all            keep state
> pass  out on $ExtIF inet proto icmp all            keep state
>
> # VPN settings per "man vpn"
> # VPN isakmpd features
> pass in proto esp from $gatewB to $gatewA
> pass out proto esp from $gatewA to $gatewB
> pass in on enc0 from $netB to $netA
> pass out on enc0 from $netA to $netB
> pass out on $ExtIF proto udp from $gatewA port = 500 to $gatewB port = 500
> pass in proto udp from $gatewB to $gatewA port=500
> pass out proto udp from $gatewA to $gatewB port=500
>
>
>
>
> /etc/isakmpd.conf listing
> -----------------
> [General]
> Policy-File= /etc/isakmpd/isakmpd.policy
> Retransmits= 5
> Exchange-max-time= 120
> Listen-on= 200.100.20.10
>
> [Phase 1]
> Default=                east
> [Phase 2]
> Connections=            west-east
>
> [east]
> Phase=                  1
> Transport=              udp
> Local_address=          200.100.20.10
> Configuration=          Default-main-mode
> Authentication=         ilikemcgyver
>
> [west-east]
> Phase=                  2
> ISAKMP-peer=            east
> Configuration=          Default-quick-mode
> Local-ID=               Net-west
> Remote-ID=              Net-east
>
> [Net-west]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                10.0.0.0
> Netmask=                255.255.255.0
>
> [Net-east]
> ID-type=                IPV4_ADDR_SUBNET
> Network=                192.168.1.0
> Netmask=                255.255.255.0
>
> [Default-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          ID_PROT
> Transforms=             3DES-MD5,3DES-SHA
>
> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-MD5-SUITE
>
>
> isakmpd.policy file
> -------------------
> KeyNote-Version: 2
> Authorizer: "POLICY"
> Licensees: "passphrase:ilikemcgyver"
> Conditions: app_domain == "IPsec policy" &&
>              esp_present == "yes" &&
>              esp_enc_alg != "null" -> "true";
>
> --
> ted jordan, principal
> JordanTeam Computing LLC
> On-Demand Computing for Independent Business Professionals
>
> ted@jordanteam.com
> 734 673 7426 p
> 216 767 1393 p
> 419 791 9678 f
> http://jordanteam.com
>
>