natd firewall settings for vpn
Michael W. Oliver
freebsd-questions at gargantuan.com
Fri Jun 18 14:53:47 PDT 2004
On 2004-06-18T14:46:31-0500, Jim Freeze wrote:
> mike oliver wrote:
> > The trick here with NAT is that AH will build a checksum of the IP
> > header, which includes the private IP address of your laptop. Since NAT
> > changes this IP address, the destination will dump the packet since the
> > AH checksum will fail.
> >
> > When the laptop is behind the gateway, are you using private addresses
> > on the LAN while running NATD with the 'open' rule set? If yes, then
> > you aren't using AH, but only ESP.
>
> I'm not sure what you are driving at here.
> I think the answer is yes. The IP of clients on my LAN
> are 192.168.0.x.
Then you are indeed using NATD, which means...
> As far as the 'open' rule is concerned, I just used that to
> test if Contivity worked. I'm not sure what you mean by not using AH.
> When using the 'open' firewall ruleset, I did not have to
> add any rules for ESP or AH.
... that you aren't using AH. I, too, connect to a Contivity using the
Nortel client. I haven't configured a Contivity before, but a buddy
(that works in "LABS" for the company that I work for) works on them all
the time, and he confirmed that the Contivity supports IPSec with or
without AH.
The point here is that you can't use AH in conjunction with NAT since AH
computes the checksum of the IP header, which includes your 192.168.0.x
address. Using NAT will change the source IP address, leaving the
checksum invalid.
> > Yep, I use a Nortel Extranet Client each and every day behind my FreeBSD
> > firewall/router, which runs IPFW2 with NATD. The rules that you have
> > above look ok. Have you tried setting up a static NAT translation in
> > /etc/natd.conf for inbound UDP/500? Something like...
> >
> > redirect_port udp 192.168.1.1:500 500
>
> Would I use this in addition to the firewall rules?
Yes.
> > ${fwcmd} add 5000 divert natd all from any to any via ${wan_if}
> > #
> > ${fwcmd} add 42000 queue 70 esp from any to any in recv ${wan_if}
> > ${fwcmd} add queue 80 esp from any to any out xmit ${wan_if}
> > ${fwcmd} add queue 50 esp from any to any in recv ${lan_if}
> > ${fwcmd} add queue 60 esp from any to any out xmit ${lan_if}
> > #
> > ${fwcmd} add 43000 queue 50 udp from ${lan_net}/${lan_mask} to any dst-port 500 in recv ${lan_if}
> > ${fwcmd} add queue 80 udp from ${wan_ip} to any dst-port 500 out xmit ${wan_if}
> > ${fwcmd} add queue 70 udp from any to ${lan_net}/${lan_mask} src-port 500 in recv ${wan_if}
> > ${fwcmd} add queue 60 udp from any to ${lan_net}/${lan_mask} src-port 500 out xmit ${lan_if}
> >
> > *NOTE* that the ESP and ISAKMP rules come AFTER the divert rule.
>
> These rules look a little different. Should adding the AH be all I
> need or do I need to replace my rules with the one you list above?
I don't have any rules for AH (protocol 51), and you won't need them
either.
--
Mike
perl -e 'print unpack("u","88V]N=&%C=\"!I;F9O(&EN(&AE861E<G,*");'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040618/3885663e/attachment.bin
More information about the freebsd-questions
mailing list