[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: connect to vpn behind openbsd firewall



> 
> 
> > 
> > What are you VPN Client et and VPN Server and do
> you
> > use IPsec for VPN ?
> > 
> > To use IPsec with NAT, IPsec client and server
> must
> > use NAT-Traversal :
> > - isakmp exchanges on UDP/500
> > - encapsulation of ESP in UDP port 4500
> > 
> > Laurent Cheylus <[email protected]> OpenPGP ID
> 0x5B766EC2
> > 
> My vpn client is MS windows VPN using pptp protocol
> port 1723 udp/tcp. I don't known what is server, my
> suggestion is win2000/win2003 vpn server, i have
> only
> account. On openBSD firewall i also have vpn account
> using poptopd. Pftop show me that i use port 1723
> tcp
> and 1723 udp.
> I thing that NAT is problem because VPN server try
> to
> connect to my ext_ip, where i block all in.That's my
> first filter rule.I have try and synproxy out packet
> to port 1723 without success.
> 
> any suggestions?
> 
> Best regards
> T.Ganev
> 
> 
hi again
I solve problem by add this lines to my conf
nat on rl0 proto tcp from 192.168.0.11 to any port
1723 -> 10.17.2.1 port 1723
nat on rl0 proto udp from 192.168.0.11 to any port
1723 -> 10.17.2.1 port 1723
rdr pass on rl0 inet proto tcp from any to 10.17.2.1
port 1723 -> 192.168.0.11 port 1723 
rdr pass on rl0 inet proto tcp from any to 10.17.2.1
-> 192.168.0.11
rdr pass on rl0 inet proto udp from any to 10.17.2.1
-> 192.168.0.11
rdr pass on rl0 inet proto gre from any to 10.17.2.1
-> 192.168.0.11
pass out on $ext_if proto tcp from 10.17.2.1 to any
port 1723 modulate state flags S/SA
pass out on $ext_if proto udp from 10.17.2.1 to any
port 1723 keep state
pass in on $ext_if proto tcp from any to 10.17.2.1
port 1723 modulate state 
pass in on $ext_if inet proto gre from any to
10.17.2.1 synproxy state
pass out on $ext_if inet proto gre from 10.17.2.1 to
any keep state
my ip is 192.168.0.11
10.17.2.1 is alias to my ext_if ip.VPN server also
have  prv ip 10.x.x.x becouse we use same ISP.
But what if vpn server is somewhere in the Internet?
Best regards
T.Ganev
=====
http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=0x300D6655&fingerprint=on Key fingerprint= 2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com