Board index OpenBSD

Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

Post by Will Bobe » Mon, 27 Aug 2001 17:09:23



I am trying to allow a system on my local net (using Nortel Extranet Access
Client) to connect through my OpenBSD Gateway (ver 2.9) to my companies
Nortel VPN Switch. I have been reading a ton on esp, gre, a possible patch
to ipf but nothing seems to work and there are no definitive howto's?

Any suggestions (and please not buy a LinkSys/DLink/NetGEAR home broadband
gateway - I want to do this with my OpenBSD box and it should be possible
either via proxy or passthrough?)

Thanks in advance,

- will

 
 
 
Top

Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

Post by mo.. » Wed, 29 Aug 2001 15:43:50



>I am trying to allow a system on my local net (using Nortel Extranet Access
>Client) to connect through my OpenBSD Gateway (ver 2.9) to my companies
>Nortel VPN Switch. I have been reading a ton on esp, gre, a possible patch
>to ipf but nothing seems to work and there are no definitive howto's?

>Any suggestions (and please not buy a LinkSys/DLink/NetGEAR home broadband
>gateway - I want to do this with my OpenBSD box and it should be possible
>either via proxy or passthrough?)

>Thanks in advance,

>- will

I had this set up once upon a time. The trick was to rdr port 500 from
the firewall to the host running the nortel vpn client. There is
isakmp traffic required to maintain the vpn connection which must be
passed through. This is done in ipnat.rules.

The second trick is to not remap ports for the host running vpn
client.

Alas, this can only be done for one host behind your firewall.

For added security i set up ipf rules to only allow passage of esp &
port 500  packets from the company vpn gateway to the host running the
vpn client.

I had emailed by ipnat.rules and ipf.rules to the openbsd misc mailing
list some time ago. You could search the mailing list to find them.

 
 
 
Top

Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

Post by Will Bobe » Fri, 31 Aug 2001 06:25:05


Monty,

Thanks for the info. I subscribe to the "misc" OpenBSD group and did a
"index misc" and received the following....

--

Quote:>>>> index misc

#### No files available for misc.

Any chance you have the postings somewhere in your email?

Thanks in advance (again) :)

- Will



> >I am trying to allow a system on my local net (using Nortel Extranet
Access
> >Client) to connect through my OpenBSD Gateway (ver 2.9) to my companies
> >Nortel VPN Switch. I have been reading a ton on esp, gre, a possible
patch
> >to ipf but nothing seems to work and there are no definitive howto's?

> >Any suggestions (and please not buy a LinkSys/DLink/NetGEAR home
broadband
> >gateway - I want to do this with my OpenBSD box and it should be possible
> >either via proxy or passthrough?)

> >Thanks in advance,

> >- will

> I had this set up once upon a time. The trick was to rdr port 500 from
> the firewall to the host running the nortel vpn client. There is
> isakmp traffic required to maintain the vpn connection which must be
> passed through. This is done in ipnat.rules.

> The second trick is to not remap ports for the host running vpn
> client.

> Alas, this can only be done for one host behind your firewall.

> For added security i set up ipf rules to only allow passage of esp &
> port 500  packets from the company vpn gateway to the host running the
> vpn client.

> I had emailed by ipnat.rules and ipf.rules to the openbsd misc mailing
> list some time ago. You could search the mailing list to find them.

 
 
 
Top

Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

Post by Jim Litto » Fri, 31 Aug 2001 07:50:29


I'm using the nortel extranet client through openbsd 2.9.  I have a dsl
router with dhcp assigned address.  The router assigns the my home
network interface an address of 10.0.0.2.  I create a ipf rules set that
passes in from my corp vpn server (999.999.999.999) and permit traffic
from a static non-routeable address 192.168.1.4 (my corporate laptop) to
the 10.0.0.2 address.  Then in ipnat.rules I redirect incoming traffic
to the laptop and map the laptops port 500 traffic to the dhcp assigned
address 10.0.0.2.  I would guess my cisco 678 is nat'ing the vpn traffic.

pass in quick on fxp0 proto udp from 999.999.999.999 to
    192.168.1.4 port = 500 keep state
block return-icmp(3) in log quick on fxp0 proto udp
    from any to any port = 500

pass in quick on fxp0 proto esp from 999.999.999.999
    to 192.168.1.4
pass out quick on fxp0 proto esp from 192.168.1.4
    to 999.999.999.999

# rdr always at top
rdr fxp0 10.0.0.2/32 port 500 -> 192.168.1.4 port 500 udp

map fxp0 192.168.1.4/32 -> 10.0.0.2/32

-- Jim


> Monty,

> Thanks for the info. I subscribe to the "misc" OpenBSD group and did a
> "index misc" and received the following....

> --

>>>>>index misc

> #### No files available for misc.

> Any chance you have the postings somewhere in your email?

> Thanks in advance (again) :)

> - Will




>>>I am trying to allow a system on my local net (using Nortel Extranet

> Access

>>>Client) to connect through my OpenBSD Gateway (ver 2.9) to my companies
>>>Nortel VPN Switch. I have been reading a ton on esp, gre, a possible

> patch

>>>to ipf but nothing seems to work and there are no definitive howto's?

>>>Any suggestions (and please not buy a LinkSys/DLink/NetGEAR home

> broadband

>>>gateway - I want to do this with my OpenBSD box and it should be possible
>>>either via proxy or passthrough?)

>>>Thanks in advance,

>>>- will

>>I had this set up once upon a time. The trick was to rdr port 500 from
>>the firewall to the host running the nortel vpn client. There is
>>isakmp traffic required to maintain the vpn connection which must be
>>passed through. This is done in ipnat.rules.

>>The second trick is to not remap ports for the host running vpn
>>client.

>>Alas, this can only be done for one host behind your firewall.

>>For added security i set up ipf rules to only allow passage of esp &
>>port 500  packets from the company vpn gateway to the host running the
>>vpn client.

>>I had emailed by ipnat.rules and ipf.rules to the openbsd misc mailing
>>list some time ago. You could search the mailing list to find them.

 
 
 
Top

Connecting a Nortel VPN client through OpenBSD (2.9) to Nortel VPN Switch

Post by mo.. » Fri, 31 Aug 2001 15:30:50



>Any chance you have the postings somewhere in your email?

Here's the ipf and ipnat rules i was using to allow Nortel VPN through the firewall.
The Nortel Client was at 192.168.1.11. They are commented out here as i no longer use 'em.
Note that my ipf rules are set up with a deny all by default. I also return error packets (return-icmp here)
on open ports in case the state breaks.

ipf relevant rules:

# VPN traffic rule set
#
# Allow redirected port 500 udp traffic to flow from 63.103.66.53 only
#pass in quick on le1 proto udp from 63.103.66.53 to 192.168.1.11 port= 500 keep state
#block return-icmp(3) in log quick on le1 proto udp from any to any port = 500
#
# Allow esp traffic to flow between 63.103.66.53 and 192.168.1.11
#
#pass in quick on le1 proto esp from 63.103.66.53 to 192.168.1.11
#pass out quick on le1 proto esp from 192.168.1.11 to 63.103.66.53

ipnat rules:

# Rule set modified to allow VPN connection for 192.168.1.11
#
# Redirect udp traffic on port 500 to 192.168.1.11 to maintain VPN connection
#rdr le1 209.233.22.124/32 port 500 -> 192.168.1.11 port 500 udp
#
# Do not remap ports for 192.168.1.11 so that VPN works for this client
#
#map le1 192.168.1.11/32 -> 209.233.22.124/32
#
# Remap ports for all other hosts
#
map le1 192.168.1.0/24 -> 209.233.22.124/32 portmap tcp/udp 10000:20000
map le1 192.168.1.0/24 -> 209.233.22.124/32

In syscntl.conf you must also enable esp and ah if you haven't figured that yet.

net.inet.esp.enable=1           # 1=Enable the ESP IPSec protocol
net.inet.ah.enable=1            # 1=Enable the AH IPSec protocol

 
 
 
Top

1. Nortel 2600 VPN Switch and IPSEC

Ok, here's the current setup.  I have a Linux 7.2 Gateway that uses Ip
Masq for my internal LAN via ipchains, no ports are currently being
blocked.  I need to use the Nortel 2600 Contivity Client software on
my computers within my LAN to connect to another company's VPN switch.
 The Nortel 2600 needs the following open, UDP/IP 500, AH Protocol 50
and Protocol 51.  I am not familiar with IPSEC so I need to know how
to setup IPSEC on my linux gateway so that my internal LAN can connect
to the other company's VPN.

Thanks,
Robert

2. Getting out of X

3. Nortel Extranet VPN client (IPSec) through OpenBSD2.7 w/ ipf and ipnat ??

4. defrag for ext2fs

5. Nortel - Contivity Linux client - VPN - IPSec

6. Here is one for you!

7. Linux connecting to a Nortel VPN.

8. Boot Disk Help

9. VPN client 'a la Nortel

10. Access to Nortel Extranet VPN

11. VPN to Bay Networks/Nortel Extranet

12. Nortel Contivity VPN


All times are UTC
Board index