[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec up and running, but no ping reply



Hello

I've been running an OpenBSD firewall (bart) for about a year now, without any major hassle. I have 8 public IPs so I set it up as a transparent bridge with no IP on the internal interface. Lets call the IP range 1.2.3.0/29:

Public webservers <> --- <dc0> -[bart]- <xl0> --- <> ISP GW <> -- I'net
IP: 1.2.3.3 - .6          N/A           1.2.3.2      1.2.3.1

The public webservers use their IPs .3 - .6 and the gateway IP of .1 and are completely unaware of bart.

So far so good. Now my client (the network owner) wants IPSec capabilities with road warriors, windows clients and X.509 certificates.
I've configured SSH Sentinel to successfully connect and set up the SA's, but I don't see anything on the other side. If I try to watch the logs on bart in realtime I get disconnected (I must use SSH since the servers are locked up at the colocation site). I'm unable to ping any of the webservers or connect by TCP/IP (e.g. telnet 1.2.3.3 80).
I tested on an ADSL connection with a public IP 80.70.60.50, and at the time my WinDOS box was NOT behind a NAT router.


I followed the excellent guide at http://www.allard.nu/openbsd/, client config here: http://www.allard.nu/openbsd/sentinel/index.html

I have a few ideas:
* Should I try to exchange bart's IP address so that dc0 gets the IP and not xl0? I'm a bit reluctant since the above setup is in production. It's possible to try it out, but I need to plan that a few days ahead.
* Should I set up routing with one IP for dc0 and one for xl0? Any pointers to some documentation for how that would work? I'm not so sure about how that works... I don't want to use private addressing (10.0.0.0/8, 192.168.0.0/16 or the likes).
* Is there some trivial setup I'm missing?


* Any ideas are welcome ;)

Let's begin with the IPSec config and log file. At the bottom I've added the dreary details of the network/bridge setup:

==> isakmpd.policy <==
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right algorithm
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";



==> isakmpd.conf <== [General] Policy-File= /etc/isakmpd/isakmpd.policy Listen-on= 1.2.3.2

[Phase 1]
Default=                ISAKMP-clients

[Phase 2]
Passive-Connections=    IPsec-clients


# Phase 1 peer sections #######################

[ISAKMP-clients]
Phase=                  1
Transport=              udp
Configuration=          main-mode
ID=                     my-ID

[my-ID]
ID-type=                FQDN
Name=                   bart.atcg.dk

# Phase 2 sections
##################

[IPsec-clients]
Phase=                  2
Configuration=          quick-mode
Local-ID=               default-route
Remote-ID=              dummy-remote

[default-route]
ID-type=        IPV4_ADDR_SUBNET
Network=        0.0.0.0
Netmask=        0.0.0.0
#Network=        1.2.3.0
#Netmask=        255.255.255.248

[dummy-remote]
ID-type=        IPV4_ADDR
Address=        0.0.0.0

[x509-certificates]
CA-directory=   /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key=    /etc/isakmpd/private/local.key

# Transform descriptions
########################
#
# For Main Mode:
#   {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}]
#
# For Quick Mode:
#   QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE

# Main -and quick mode transforms

[main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=BLF-SHA-RSA_SIG

[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-SHA-SUITE


---------------------------------------------
As I said above I followed the guide at allard.nu, only I didn't use the custom x509v3.cnf for generating ca.crt.
This is my procedure:


openssl genrsa -out /etc/ssl/private/ca.key 1024
openssl req -new -key /etc/ssl/private/ca.key -out /etc/ssl/private/ca.csr
# Here I filled out almost all the fields, using bart.atcg.dk as CN
openssl x509 -req -days 730 -in /etc/ssl/private/ca.csr -signkey /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
cp /etc/ssl/ca.crt /etc/isakmpd/private
openssl genrsa -out /etc/isakmpd/private/local.key 1024
openssl req -new -key /etc/isakmpd/private/local.key -out /etc/isakmpd/private/bart.atcg.dk.csr
# Here I again filled out almost all the fields, using bart.atcg.dk as CN
openssl x509 -req -days 365 -in /etc/isakmpd/private/bart.atcg.dk.csr -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key -CAcreateserial -out /etc/isakmpd/certs/bart.atcg.dk.crt
certpatch -k /etc/ssl/private/ca.key -t FQDN -i bart.atcg.dk /etc/isakmpd/certs/bart.atcg.dk.crt/etc/isakmpd/certs/bart.atcg.dk.crt
openssl genrsa -out /etc/isakmpd/private/phil-atcg.dk.key 1024
openssl req -new -key /etc/isakmpd/private/phil-atcg.dk.key -out /etc/isakmpd/private/phil-atcg.dk.csr
# Here I filled out almost all the fields, using phil_(_at_)_atcg_(_dot_)_dk as CN
openssl x509 -req -days 365 -CAcreateserial -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key -in /etc/isakmpd/private/phil-atcg.dk.csr -out /etc/isakmpd/certs/phil-atcg.dk.crt
certpatch -k /etc/ssl/private/ca.key -t UFQDN -i phil_(_at_)_atcg_(_dot_)_dk /etc/isakmpd/certs/phil-atcg.dk.crt/etc/isakmpd/certs/phil-atcg.dk.crt
openssl pkcs12 -export -certfile /etc/ssl/ca.crt -inkey /etc/isakmpd/private/phil-atcg.dk.key -in /etc/isakmpd/certs/phil-atcg.dk.crt -out /etc/isakmpd/certs/phil-atcg.dk.p12
openssl pkcs12 -export -certfile /etc/ssl/ca.crt -inkey /etc/isakmpd/private/local.key -in /etc/isakmpd/certs/bart.atcg.dk.crt -out /etc/isakmpd/certs/bart.atcg.dk.p12


I then imported the two .p12 files into SSH Sentinel, set my security gateway to bart.atcg.dk, IP net to 1.2.3.0/29 and Virtual IP to 1.2.3.4/255.255.255.248 (free IP). After that I was then good to go as the Diagnostics completed without error and the VPN connection came up and reported success. Then my connection to the 1.2.3.0/29 network died. :(

I tried using IP net 0.0.0.0/0 and Virtual IP 1.2.3.4/255.255.255.255, but no luck.
---------------------------------------------


The guide at allard.nu says to expect some lines in the output from isakmpd:
# isakmpd -d -D9=99
114844.940053 Plcy 30 policy_init: initializing
114856.819042 Plcy 90 x509_generate_kn: generating KeyNote policy for certificate 0x107900
114856.820051 Plcy 60 x509_generate_kn: added credential
114856.820498 Plcy 80 x509_generate_kn: added credential:
Authorizer: "DN:/C=SE/O=Cell/CN=BSD_CA"
Licensees: "DN:/C=SE/O=Cell/CN=Johan Hedin"
Conditions: GMTTimeOfDay = "20020423105139" && GMTTimeOfDay


Mine read:
# isakmpd -d -DA=99 -D1=70 > isakmpd.log 2>&1 &
202403.017980 Plcy 30 policy_init: initializing
202414.409028 Plcy 90 x509_generate_kn: generating KeyNote policy for certificate 0x11b880
202414.409232 Plcy 60 x509_generate_kn: added credential
202414.409292 Plcy 80 x509_generate_kn: added credential:
Authorizer: "DN:/C=DK/ST=Albertslund/L=Albertslund/O=ATCG/OU=IT/CN=bart.atcg/emailAddress=phil_(_at_)_atcg_(_dot_)_dk"
Licensees: "DN:/C=DK/ST=Albertslund/L=Al


And it cuts here... (Note to self: try it without all the cert details... )

The rest of the log file is a 1 MB monstrosity for a simple probe connection, so I only include some chosen parts here:

202414.479072 Plcy 40 check_policy: adding authorizer [rsa-hex:30818902818100d88487e373a491b0bb32cfc51dc8f87577d68d3a9e2967a20829c8080b8eb6fff8633e96d8794eccb7d82844aa9550a2cf12a29f076c0220a2cf27fba0f508ca963f27348fa68626
202414.479251 Plcy 40 check_policy: adding authorizer [DN:/C=DK/ST=Albertslund/L=Albertslund/O=ATCG/OU=IT/CN=phil_(_at_)_atcg_(_dot_)_dk/emailAddress=phil_(_at_)_atcg_(_dot_)_dk]
[snip]
202414.479694 Plcy 80 Policy context (action attributes):
202414.479721 Plcy 80 esp_present == yes
202414.479735 Plcy 80 ah_present == no
202414.479748 Plcy 80 comp_present == no
202414.479762 Plcy 80 ah_hash_alg ==
202414.479776 Plcy 80 esp_enc_alg == aes
202414.479789 Plcy 80 comp_alg ==
202414.479802 Plcy 80 ah_auth_alg ==
202414.479816 Plcy 80 esp_auth_alg == hmac-md5
202414.479830 Plcy 80 ah_life_seconds ==
202414.479843 Plcy 80 ah_life_kbytes ==
202414.479857 Plcy 80 esp_life_seconds == 3600
202414.479871 Plcy 80 esp_life_kbytes == 409600
202414.479886 Plcy 80 comp_life_seconds ==
202414.479900 Plcy 80 comp_life_kbytes ==
202414.479913 Plcy 80 ah_encapsulation ==
202414.479928 Plcy 80 esp_encapsulation == tunnel
202414.479942 Plcy 80 comp_encapsulation ==
202414.479955 Plcy 80 comp_dict_size ==
202414.479969 Plcy 80 comp_private_alg ==
202414.479983 Plcy 80 ah_key_length ==
202414.479996 Plcy 80 ah_key_rounds ==
202414.480010 Plcy 80 esp_key_length == 128
202414.480023 Plcy 80 esp_key_rounds ==
202414.480037 Plcy 80 ah_group_desc ==
202414.480050 Plcy 80 esp_group_desc ==
202414.480064 Plcy 80 comp_group_desc ==
202414.480077 Plcy 80 ah_ecn == no
202414.480090 Plcy 80 esp_ecn == no
202414.480104 Plcy 80 comp_ecn == no
202414.480118 Plcy 80 remote_filter_type == IPv4 address
202414.480133 Plcy 80 remote_filter_addr_upper == 001.002.003.004
202414.480147 Plcy 80 remote_filter_addr_lower == 001.002.003.004
202414.480161 Plcy 80 remote_filter == 001.002.003.004
202414.480175 Plcy 80 remote_filter_port == 0
202414.480189 Plcy 80 remote_filter_proto == 0
202414.480203 Plcy 80 local_filter_type == IPv4 subnet
202414.480217 Plcy 80 local_filter_addr_upper == 001.002.003.007
202414.480232 Plcy 80 local_filter_addr_lower == 001.002.003.000
202414.480246 Plcy 80 local_filter == 001.002.003.000-001.002.003.007
202414.480260 Plcy 80 local_filter_port == 0
202414.480274 Plcy 80 local_filter_proto == 0
202414.480288 Plcy 80 remote_id_type == User FQDN
202414.480302 Plcy 80 remote_id_addr_upper ==
202414.480316 Plcy 80 remote_id_addr_lower ==
202414.480329 Plcy 80 remote_id == phil_(_at_)_atcg_(_dot_)_dk
202414.480343 Plcy 80 remote_id_port == 0
202414.480357 Plcy 80 remote_id_proto == 0
202414.480371 Plcy 80 remote_negotiation_address == 080.070.060.050
202414.480386 Plcy 80 local_negotiation_address == 001.002.003.002
202414.480399 Plcy 80 pfs == no
202414.480413 Plcy 80 initiator == no
202414.480427 Plcy 80 phase1_group_desc == 2
202414.480494 Plcy 40 check_policy: kn_do_query returned 1
202414.480551 Negt 30 message_negotiate_sa: proposal 1 succeeded
202414.480575 Misc 20 ipsec_decode_transform: transform 1 chosen
202414.480600 Exch 80 exchange_nonce: NONCE_i:
202414.480624 Exch 80 fd60de94 529e59fb 43ca2750 7836d357
202414.480644 Misc 60 connection_passive_lookup_by_ids: no match


Remember that 80.70.60.50 is my public ADSL IP address, and at the time my WinDOS box was NOT behind a NAT router.

This bit troubles me... It says no SA?
202414.506712 Exch 10 exchange_finalize: 0x189c00 <unnamed> <no policy> policy responder phase 2 doi 1 exchange 32 step 2
202414.506731 Exch 10 exchange_finalize: icookie c6bdff6d0600001d rcookie db925bddced3ebd8
202414.506750 Exch 10 exchange_finalize: msgid 6702cd48 sa_list 0x189d00
202414.506769 SA 90 sa_find: no SA matched query
202414.506819 Misc 95 conf_get_str: configuration value not found [General]:Shared-SADB
202414.506869 Sdep 40 pf_key_v2_convert_id: UFQDN phil_(_at_)_atcg_(_dot_)_dk
202414.506890 Sdep 40 pf_key_v2_convert_id: FQDN bart.atcg.dk
202414.507211 Sdep 10 pf_key_v2_set_spi: satype 2 dst 80.70.60.50 SPI 0x27c64dc3
202414.507352 Timr 95 sa_setup_expirations: SA 0x189d00 soft timeout in 3060 seconds
202414.507375 Timr 10 timer_add_event: event sa_soft_expire(0x189d00) added before sa_soft_expire(0x171300), expiration in 3060s
202414.507394 SA 80 sa_reference: SA 0x189d00 now has 3 references
202414.507430 Timr 95 sa_setup_expirations: SA 0x189d00 hard timeout in 3600 seconds
202414.507451 Timr 10 timer_add_event: event sa_hard_expire(0x189d00) added before sa_soft_expire(0x171300), expiration in 3600s
202414.507469 SA 80 sa_reference: SA 0x189d00 now has 4 references


Then we get:
202414.510948 Sdep 50 pf_key_v2_set_spi: done
202414.510981 Misc 95 conf_get_str: configuration value not found [General]:Shared-SADB
202414.511006 Sdep 40 pf_key_v2_convert_id: UFQDN phil_(_at_)_atcg_(_dot_)_dk
202414.511042 Sdep 40 pf_key_v2_convert_id: FQDN bart.atcg.dk
202414.511138 Sdep 10 pf_key_v2_set_spi: satype 2 dst 1.2.3.2 SPI 0x92a04143
[snip]
202414.514858 Sdep 50 pf_key_v2_set_spi: done
202414.514899 Exch 50 ipsec_finalize_exchange: src 1.2.3.0 255.255.255.248 dst 1.2.3.4 255.255.255.255 tproto 0 sport 0 dport 0
202414.514919 Sdep 40 pf_key_v2_convert_id: UFQDN phil_(_at_)_atcg_(_dot_)_dk
202414.515001 Sdep 40 pf_key_v2_convert_id: FQDN bart.atcg.dk255.255.255.248
202414.515052 Sdep 50 pf_key_v2_flow: src 1.2.3.0 255.255.255.248 dst 1.2.3.4 255.255.255.255 proto 0 sport 0 dport 0
[snip]
202414.515952 Misc 50 pf_key_v2_flow: ADDFLOW: done
202414.515994 Sdep 50 pf_key_v2_flow: src 1.2.3.4 255.255.255.255 dst 1.2.3.0 255.255.255.248 proto 0 sport 0 dport 0
[snip]
202414.516953 Misc 50 pf_key_v2_flow: ADDFLOW: done
202414.516972 SA 90 sa_find: no SA matched query
202414.516994 SA 80 sa_release: SA 0x189d00 had 4 references
[snip]
202414.518198 Exch 10 exchange_setup_p2: 0x189c00 <unnamed> <no policy> policy responder phase 2 doi 1 exchange 5 step 0
202414.518219 Exch 10 exchange_setup_p2: icookie c6bdff6d0600001d rcookie db925bddced3ebd8
202414.518237 Exch 10 exchange_setup_p2: msgid ec6b89ce sa_list
202414.518258 Exch 90 exchange_validate: checking for required INFO
202414.518276 Misc 30 ipsec_responder: phase 2 exchange 5 step 0
202414.518294 Exch 10 exchange_run: unexpected payload HASH
202414.518319 SA 90 sa_find: return SA 0x189d00
202414.518340 SA 30 ipsec_delete_spi_list: DELETE made us delete SA 0x189d00 (3 references) for proto 3
202414.518357 Timr 10 timer_remove_event: removing event sa_hard_expire(0x189d00)
202414.518375 Timr 10 timer_remove_event: removing event sa_soft_expire(0x189d00)
202414.518391 SA 70 sa_remove: SA 0x189d00 removed from SA list
202414.518407 SA 80 sa_release: SA 0x189d00 had 1 references
202414.518421 SA 60 sa_release: freeing SA 0x189d00
202414.518476 Sdep 50 pf_key_v2_flow: src 1.2.3.0 255.255.255.248 dst 1.2.3.4 255.255.255.255 proto 0 sport 0 dport 0


And it continues like this, creating and deleting SAs.

---------------------------------------------
And finally here's my network config:

phil_(_at_)_bart:~$ tail /etc/*name* /etc/mygate
==> /etc/bridgename.bridge0 <==
add dc0
add xl0
# Block all non IP/IP6/ARP/RARP traffic on external interface:
blocknonip xl0
up

==> /etc/hostname.dc0 <==
# Internal interface:
up

==> /etc/hostname.xl0 <==
# External interface:
inet 1.2.3.2 255.255.255.248 NONE

==> /etc/myname <==
bart

==> /etc/mygate <==
1.2.3.1

phil_(_at_)_bart:~$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
       inet 127.0.0.1 netmask 0xff000000
       inet6 ::1 prefixlen 128
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
       address: 00:e0:dc:c1:62:3f
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet6 fe80::2e0:dcff:fec1:623f%dc0 prefixlen 64 scopeid 0x1
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
       address: 00:5d:d2:49:b3:ec
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 1.2.3.2 netmask 0xffffff80 broadcast 1.2.3.7
       inet6 fe80::25d:d2ff:fe49:b3ec%xl0 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=41<UP,RUNNING> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
       address: 00:00:00:00:00:00
vlan1: flags=0<> mtu 1500
       address: 00:00:00:00:00:00
gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

phil_(_at_)_bart:~$ brconfig -a
bridge0: flags=41<UP,RUNNING>
       Configuration:
               priority 32768 hellotime 2 fwddelay 15 maxage 20
       Interfaces:
               xl0 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
                       port 2 ifpriority 128 ifcost 55
               dc0 flags=3<LEARNING,DISCOVER>
                       port 1 ifpriority 128 ifcost 55
       Addresses (max cache: 100, timeout: 240):
               00:xx:xx:xx:xx:xx dc0 1 flags=0<>
               00:xx:xx:xx:xx:xx dc0 0 flags=0<>
               00:xx:xx:xx:xx:xx dc0 0 flags=0<>
               00:xx:xx:xx:xx:xx xl0 1 flags=0<>
               00:xx:xx:xx:xx:xx dc0 1 flags=0<>
               00:xx:xx:xx:xx:xx dc0 0 flags=0<>


(Sorry about the blatant attemt at hiding the innocent ;)

phil_(_at_)_bart:~$ netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 1.2.3.1 UGS 1 26511 - xl0
1.2.3.0/29 link#2 UC 0 0 - xl0
1.2.3.1 0:xx:xx:xx:xx:xx UHL 1 0 - xl0
1.2.3.2 127.0.0.1 UGHS 0 0 33224 lo0
1.2.3.3 0:xx:xx:xx:xx:xx UHL 1 30 - xl0
1.2.3.4 0:xx:xx:xx:xx:xx UHL 0 20 - xl0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 0 33224 lo0
224/4 127.0.0.1 URS 0 0 33224 lo0



When SSH Sentinel reports success, this is added at the bottom for the enc0 interface:


Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
1.2.3.4/32 0 1.2.3.0/29 0 0 80.70.60.50/50/use/in
1.2.3.0/29 0 1.2.3.4/32 0 0 80.70.60.50/50/require/out



The WinDOS box says (this was behind the NAT router, sorry, no time to do it properly):
C:\>route print
===========================================================================
List of interfaces:
0x1 ........................... MS TCP Loopback interface
0x2 ...00 47 9d 30 f2 d5 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Miniport to Packet Scheduler
0x3 ...0a b5 d3 cf 7f 7e ...... SSH Virtual Network Adapter (sshvnic) - Miniport to Packet Scheduler
===========================================================================
===========================================================================
Active routes:
Networkdestination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.6 20
1.2.3.0 255.255.255.248 1.2.3.4 1.2.3.4 20
1.2.3.2 255.255.255.255 192.168.1.1 192.168.1.6 1
1.2.3.4 255.255.255.255 127.0.0.1 127.0.0.1 20
1.255.255.255 255.255.255.255 1.2.3.4 1.2.3.4 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.6 192.168.1.6 20
192.168.1.6 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.6 192.168.1.6 20
224.0.0.0 240.0.0.0 1.2.3.4 1.2.3.4 20
224.0.0.0 240.0.0.0 192.168.1.6 192.168.1.6 20
255.255.255.255 255.255.255.255 1.2.3.4 1.2.3.4 1
255.255.255.255 255.255.255.255 192.168.1.6 192.168.1.6 1
Standardgateway: 192.168.1.1
===========================================================================
Persistent routes:
None


---------------------------------------------
Of course I have a pf.conf, here are the relevant sections (I have tried disabling pf while I tried connecting, no luck):
LoIF ="lo0" # loopback
IntIF ="dc0" # Internal servers
ExtIF ="xl0" # External


table <LocalSubnet> { 1.2.3.0/29 }

# non-routeable IP adress ranges
table <NoRouteIPs> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }


IPFW           ="1.2.3.2"

set block-policy drop
set timeout { interval 10, frag 30 }
set limit   { frags 10000, states 25000 }
set loginterface $ExtIF
# Perhaps set to "aggressive" later on:
set optimization normal

#clean up fragmented and abnormal packets
scrub in all fragment reassemble random-id min-ttl 15 max-mss 1400

# Default policy: Silently block and log
block log

# localhost is unrestricted
pass quick on $LoIF
# Allow internal traffic to flow freely.
pass quick on $IntIF
pass quick on $ExtIF from <LocalSubnet> to <LocalSubnet>

pass out quick on $ExtIF inet proto icmp all keep state

#block nmap fingerprint attempt
block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP

# block and log all packets from reserved address space
block in  log quick on $ExtIF from <NoRouteIPs> to any
block out log quick on $ExtIF from any          to <NoRouteIPs>

# block and not log Internal NetBios traffic
block in log quick on $ExtIF proto { udp tcp } from any to any port { $NetbiosPorts }
block out quick on $ExtIF proto { udp tcp } from any to any port { $NetbiosPorts }


# Allow VPN traffic
# I heard some rumours about ports 2746 and 802, so I included them here...
# The more strict form is commented out at the moment, while testing the setup.
pass in quick proto esp
#from any to $IPFW
#pass in quick proto { tcp, udp } from any port = 500 to $IPFW port = 500 keep state
#pass in quick proto { tcp, udp } from any port = 2746 to $IPFW port = 2746 keep state
#pass in quick proto { tcp, udp } from any port = 802 to $IPFW port = 802 keep state
pass quick proto { tcp udp } from any port 500 to any port 500 keep state
pass quick proto { tcp udp } from any port 2746 to any port 2746 keep state
pass quick proto { tcp udp } from any port 802 to any port 802 keep state


pass quick on enc0 all

---------------------------------------------

That's all folks!
If you need some more info, just mention it. I'm reluctant to disclose the bare log file on account of IPs and such...
#include <sys/paranoia.h>
;)


Hope you can help me out with this.
Thanks, Phil



Visit your host, monkey.org