[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ANSWER...Re: VPN fails with firewall rules



IT APPEARS that this line was really important

  pass in on enc0 all

we're rolling fine now...thanx much
ted


Hakan Olsson wrote:
On Mon, 7 Apr 2003, ted jordan, jordanteam wrote:
...

5) kill isakmpd

...

Is it necessary to use

  pfctl -F all
  ipsecadm flush

after every test? Should I be flushing anything else?


If you just kill (or kill -TERM) isakmpd, it will send DELETE
notifications to the other side so that you will not need the ipsecadm
flush command. If you kill it with 'kill -KILL' (-9), isakmpd will not get
a chance to do this, and you will have to flush the flows manually.


# VPN settings per "man vpn"
# VPN isakmpd features
pass in proto esp from $gatewB to $gatewA
pass out proto esp from $gatewA to $gatewB
pass in on enc0 from $netB to $netA
pass out on enc0 from $netA to $netB
pass out on $ExtIF proto udp from $gatewA port = 500 to $gatewB port = 500
pass in proto udp from $gatewB to $gatewA port=500
pass out proto udp from $gatewA to $gatewB port=500


Looks pretty sane, although it may be that the enc0 rules need to permit
traffic from/to the other $gatew (as you get the decrypted, but still
encapsulated packets on this interface). I usually run with 'pass in on
enc0 all', so I have not tested this much.

I assume you use a 'block log all' default rule? You should get some hits
here is your rules block too much.

(The third last rule doesn't really help here, btw, as the last permits
 similar (more) traffic).

/H

--
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB



--
ted jordan, principal
JordanTeam Computing LLC
On-Demand Computing for Independent Business Professionals

ted_(_at_)_jordanteam_(_dot_)_com
734 673 7426 p
216 767 1393 p
419 791 9678 f
http://jordanteam.com



Visit your host, monkey.org