natd firewall settings for vpn

[Bill Moran]

Jim Freeze <jim at freeze.org> wrote:
> I am trying to configure my firewall to allow packets through
> for a VPN connection. I am running FBSD 5.2 as my router and am trying
> to connect my laptop from behind the router to our work computer.
> 
> The laptop is running OSX 10.3.4 with a Nortel Networks client
> made by Apani.
> 
> The VPN connection works when the laptop is connected directly
> to my DSL modem or when behind the gateway when I set the 
> firewall type to 'open'.
> 
> Support at Apani says that I need to open port 500 and 
> allow protocols 50 and 51 (whatever that means).
> 
> I found the firewall settings below from the archive and have
> implemented them before the divert statement (after also)
> but with no luck.
>  
>  # Allow IPSec clients to run behind firewall
>  # --- ISAKMP - allow key exchange over UDP 500
>  ${fwcmd} add pass udp from ${inet}:${imask} to any 500 in recv ${iif}
>  ${fwcmd} add pass udp from ${oip} to any 500 out xmit ${oif}
>  ${fwcmd} add pass udp from any 500 to ${inet}:${imask} in recv ${oif}
>  ${fwcmd} add pass udp from any 500 to ${inet}:${imask} out xmit ${iif}
>  # --- ESP - allow protocol 50 (ESP) for everyone ;-)
>  ${fwcmd} add pass esp from any to any
>  
> Does anyone have a firewall with a working nortel client behind it.
> I would greatly appreciate any help.

Try adding a rule "add pass ah from any to any" ... that's protocol 51.

(not really an expert or anything, but just happened to notice that missing)

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com