how to configure a FreeBSD firewall to pass IPSec?
V.M.Smith
vmsmith at grokking.org
Thu May 1 04:29:08 PDT 2003
Hi,
Looks like you just want client-side "pass-through" functionality. If
this is correct, try using ipf/ipnat and write a map proxy rule in
/etc/ipnat.rules.
I use this, assuming ipf/ipnat on a dual-homed gateway:
[NOTE: this should appear BEFORE other map entries.]
map <wan_interface> <internal_lan_address_range> -> 0/32 proxy port 500
ipsec/udp
Then make sure your /etc/ipf.rules have appropriate entries to support
it. I use these:
pass in quick on <lan_interface> proto 50 from any to any keep state
pass in quick on <lan_interface> proto udp from any port = 500 to any
keep state
Try using tcpdump on the gateway to determine any additional needs
specific to your implementation and topology. Set aside some time and be
prepared to tinker...
Hope that helps,
VS
On Wed, 2003-04-30 at 15:00, freebsd-security-request at freebsd.org wrote:
> Send freebsd-security mailing list submissions to
> freebsd-security at freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> freebsd-security-request at freebsd.org
>
> You can reach the person managing the list at
> freebsd-security-owner at freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
>
>
> Today's Topics:
>
> 1. how to configure a FreeBSD firewall to pass IPSec? (Guy Middleton)
> 2. Re: how to configure a FreeBSD firewall to pass IPSec?
> (David G. Andersen)
> 3. Re: how to configure a FreeBSD firewall to pass IPSec?
> (Lowell Gilbert)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 30 Apr 2003 09:45:37 -0400
> From: Guy Middleton <guy at obstruction.com>
> Subject: how to configure a FreeBSD firewall to pass IPSec?
> To: freebsd-security at freebsd.org
> Message-ID: <20030430094537.A20710 at chaos.obstruction.com>
> Content-Type: text/plain; charset=us-ascii
>
> I have a FreeBSD box acting as a firewall and NAT gateway
>
> I would like to set it up to transparently pass IPSec packets -- I have
> an IPSec VPN client running on another machine, connecting to a remote network.
>
> Is there a way to do this? I can't find any hints in the man pages.
>
> ------------------------------
>
> Message: 2
> Date: Wed, 30 Apr 2003 07:55:27 -0600
> From: "David G. Andersen" <danderse at cs.utah.edu>
> Subject: Re: how to configure a FreeBSD firewall to pass IPSec?
> To: Guy Middleton <guy at obstruction.com>
> Cc: freebsd-security at freebsd.org
> Message-ID: <20030430075527.A54362 at cs.utah.edu>
> Content-Type: text/plain; charset=us-ascii
>
> Guy Middleton just mooed:
> > I have a FreeBSD box acting as a firewall and NAT gateway
> >
> > I would like to set it up to transparently pass IPSec packets -- I have
> > an IPSec VPN client running on another machine, connecting to a remote network.
> >
> > Is there a way to do this? I can't find any hints in the man pages.
>
> It's probably using either ipip, esp, or ipencap. tcpdump the
> traffic, and then permit whichever protocol it's using.
>
> permit esp from foo to bar
>
> -Dave
More information about the freebsd-security
mailing list