[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN client probs behind OpenBSD fw since 3.0 upgd



I recently re-OS'd my OpenBSD firewall and installed
OpenBSD 3.0 (I had been using v2.9).  With only a few
modifications, I easily converted my IPF ruleset to
PF.  Almost everything with the fw is working
flawlessly.

However, since the upgrade, I've been having problems
with using IPSEC clients (Cisco's VPN 5000 client)
behind the firewall to connect to VPN appliances
(Cisco 5000 and Intraport VPN servers) elsewhere on
the Internet.  I had no problems prior to the upgrade.

The problem is: the IPSEC client can successfully
negotiate a connection with the VPN server (and during
the negotiation, I see traffic passing in both
directions), but thereafter, the firewall never passes
any inbound traffic from the client to the VPN server
(or apparently from the server to the client).

My IPF ruleset for OpenBSD 2.9 looked generally like
this:

pass in  quick on lo0 all
pass out quick on lo0 all

[ ... block inbound packets with non-routable source
addresses, short frags, ip-options ... ]

# Explicitly trust inbound traffic from internal
LAN... 
block in quick on xl1 all head 1
pass in quick on xl1 proto icmp from 172.19.1.0/24 to
any keep state group 1
pass in quick on xl1 proto tcp/udp from 172.19.1.0/24
to any keep state keep frags group 1

# Explicitly allow ICMP/UDP/TCP outbound traffic
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep
state keep frags

block in log all
block out log all


This seemed to allow IPSEC clients operating behind
the firewall to operate fine.  The VPN clients are
configured to use "NAT transparency mode", so they
also communicate with the VPN Server over TCP 80 and
TCP 500.  Because of this, NATing at the firewall
itself did not interfere (and should not interfere
now) with the IPSEC connection.

The last two sections, modified for use with PF, now
look like:

# Explicitly trust inbound traffic from private LAN...

pass in quick on $Intf_Inside inet proto icmp from
172.19.1.0/24 to any
keep state
pass in quick on $Intf_Inside inet proto { tcp, udp }
from
172.19.1.0/24 to any keep state

# Explicitly allow ICMP/UDP/TCP outbound traffic
pass out quick inet proto icmp from any to any keep
state
pass out quick inet proto { tcp, udp } from any to any
keep state


At first, I thought it might be an issue with my PF
ruleset, so I went with a "pass everything" ruleset to
test that premise:

pass in all
pass out all

But the problem still remains.

With a pass-all ruleset in place, when I run tcpdump
on the firewall's external (xl0) and internal (xl1)
interfaces, I see the negotiation:

(Traffic to/from the VPN client):
bash-2.05# tcpdump -i xl1 host vpn.example.com
tcpdump: listening on xl1
20:01:02.669678 mymac.host.net.500 >
vpn.example.com.www: S 1935278336:1935278336(0) win
65535 (DF)
20:01:02.689736 vpn.example.com.www >
mymac.host.net.500: S 1208221952:1208221952(0) ack
1935278337 win 65535 (DF)
20:01:02.844406 mymac.host.net.500 >
vpn.example.com.www: . ack 1 win 65535 (DF)
20:01:03.042672 mymac.host.net.500 >
vpn.example.com.www: P 2:316(314) ack 1 win 65535 (DF)
20:01:04.457991 vpn.example.com.www >
mymac.host.net.500: P 1:255(254) ack 2 win 65535
20:01:06.108652 mymac.host.net.500 >
vpn.example.com.www: P 3:61(58) ack 1 win 65535 (DF)
20:01:06.136000 vpn.example.com.www >
mymac.host.net.500: P 1:151(150) ack 2 win 65535
20:01:08.120643 mymac.host.net.500 >
vpn.example.com.www: P 4:186(182) ack 1 win 65535 (DF)
20:01:08.158046 vpn.example.com.www >
mymac.host.net.500: P 1:135(134) ack 2 win 65535


(Traffic to/from the VPN server):
bash-2.05# tcpdump -i xl0 host vpn.example.com
tcpdump: listening on xl0
20:01:02.669787 myfw.host.net.64500 >
vpn.example.com.www: S 1935278336:1935278336(0) win
65535 (DF)
20:01:02.689685 vpn.example.com.www >
myfw.host.net.64500: S 1208221952:1208221952(0) ack
1935278337 win 65535 (DF)
20:01:02.844457 myfw.host.net.64500 >
vpn.example.com.www: . ack 1 win 65535 (DF)
20:01:03.042725 myfw.host.net.64500 >
vpn.example.com.www: P 2:316(314) ack 1 win 65535 (DF)
20:01:04.457925 vpn.example.com.www >
myfw.host.net.64500: P 1:255(254) ack 2 win 65535
20:01:06.108716 myfw.host.net.64500 >
vpn.example.com.www: P 3:61(58) ack 1 win 65535 (DF)
20:01:06.135943 vpn.example.com.www >
myfw.host.net.64500: P 1:151(150) ack 2 win 65535
20:01:08.121107 myfw.host.net.64500 >
vpn.example.com.www: P 4:186(182) ack 1 win 65535 (DF)
20:01:08.157985 vpn.example.com.www >
myfw.host.net.64500: P 1:135(134) ack 2 win 65535

At this point, the client reports that I am
successfully connected and the client is assigned a
dynamic IP address by the VPN server for the purpose
of the connection.

Now if I try to connect to any host in the remote LAN
across the VPN, the firewall sees my client's traffic
inbound:

(Traffic to/from the VPN client):
bash-2.05# tcpdump -i xl1 host vpn.example.com
tcpdump: listening on xl1
20:04:57.020585 mymac.host.net.500 >
vpn.example.com.www: P 2359688960:2359689070(110) ack
3086745344 win 65535 (DF)
[ ... repeat ad infinitum ... ]

But tcpdump on xl0 (the external interface of the
firewall) shows no outbound traffic destined for the
VPN server.  And any inbound traffic from the VPN
server which shows up on the external interface never
makes it to the client.

Interestingly, if at this point you instruct the
client to disconnect, and then reconnect, the problem
with not passing the traffic remains and prevents the
client from connecting and negotiating with the VPN
server altogether.  Packets arrive on the internal
interface of the firewall but never leave:

20:08:20.621570 mymac.host.net.500 >
vpn.example.com.www: S 706281728:706281728(0) win
65535 (DF)
20:08:58.678024 mymac.host.net.500 >
vpn.example.com.www: S 270729472:270729472(0) win
65535 (DF)

The state table still has entries for the previous
connection:

bash-2.05# pfctl -ss | grep '[vpn server]'
TCP  [vpn server]:80 <- 172.19.1.3:500      
ESTABLISHED:ESTABLISHED
TCP  172.19.1.3:500 -> [my openbsd fw]:64500 -> [vpn
server]:80       ESTABLISHED:ESTABLISHED

If you then clear the state table:

# Pfctl ?Fs

The VPN client can connect again successfully (but
still not pass any traffic thereafter).

My /etc/sysctl.conf is:

net.inet.tcp.recvspace=64240
net.inet.tcp.sendspace=64240
net.inet.tcp.mssdflt=1460
net.inet.ip.forwarding=1

My /etc/nat.conf is:

nat on xl0 from 172.19.1.0/24 to any -> [fw external
IP]
rdr on xl1 proto tcp from any to any port 21 ->
127.0.0.1 port 8081


I'm really stumped as to what the source of the
problem could be.  Has anybody experienced this or
have any suggestions on things I could try?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com



Visit your host, monkey.org