[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ANSWER...Re: VPN fails with firewall rules
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: ANSWER...Re: VPN fails with firewall rules
- From: "ted jordan, jordanteam" <ted_(_at_)_jordanteam_(_dot_)_com>
- Date: Sat, 19 Apr 2003 22:59:02 -0400
- Organization: JordanTeam IT Services
IT APPEARS that this line was really important
pass in on enc0 all
we're rolling fine now...thanx much
Hakan Olsson wrote:
On Mon, 7 Apr 2003, ted jordan, jordanteam wrote:
5) kill isakmpd
Is it necessary to use
pfctl -F all
after every test? Should I be flushing anything else?
If you just kill (or kill -TERM) isakmpd, it will send DELETE
notifications to the other side so that you will not need the ipsecadm
flush command. If you kill it with 'kill -KILL' (-9), isakmpd will not get
a chance to do this, and you will have to flush the flows manually.
# VPN settings per "man vpn"
# VPN isakmpd features
pass in proto esp from $gatewB to $gatewA
pass out proto esp from $gatewA to $gatewB
pass in on enc0 from $netB to $netA
pass out on enc0 from $netA to $netB
pass out on $ExtIF proto udp from $gatewA port = 500 to $gatewB port = 500
pass in proto udp from $gatewB to $gatewA port=500
pass out proto udp from $gatewA to $gatewB port=500
Looks pretty sane, although it may be that the enc0 rules need to permit
traffic from/to the other $gatew (as you get the decrypted, but still
encapsulated packets on this interface). I usually run with 'pass in on
enc0 all', so I have not tested this much.
I assume you use a 'block log all' default rule? You should get some hits
here is your rules block too much.
(The third last rule doesn't really help here, btw, as the last permits
similar (more) traffic).
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB
ted jordan, principal
JordanTeam Computing LLC
On-Demand Computing for Independent Business Professionals
734 673 7426 p
216 767 1393 p
419 791 9678 f
Visit your host, monkey.org