Cisco VPN client through PF

Cisco VPN client through PF

Post by Ch3w3 » Sun, 02 Feb 2003 05:29:24



I have posted about this before, but have had little success. I also
realize there are a few previous posts that are similar, however none of
them really address my situation.

Configuration:
I am running a Cisco VPN client for Windows, with Transparent Tunnelling
enabled, IPSec over TCP port 10000.
My firewall is OpenBSD 3.2.
I have NAT enabled within PF (so the VPN client is being NAT'd).

What I have tried:
I have experimented with redirecting TCP/UDP port 10000 and 500 to the
host that is running the VPN client. I have tried both with "keep state"
and without, scrubbing and no scrubbing. Nothing works - the VPN client
will connect and authenticate, and I can even reach other hosts on the
VPN, but it drops out after a few minutes or after I send a certain
amount of traffic over the VPN.

Possibly useful information:
The client works just fine behind a Linux machine running iptables with
SNAT.
I noticed in my pflog that some packets are being blocked on their way
out because they have a non-routable address (10.whatever). This
surprises me, as the VPN client is obviously not generating packets
whose outermost IP header has a non-routable address (OK not obviously
but I have verified) - so how is PF seeing this? More importantly, if I
allow PF to route 10.x addresses, the client still does not function.

Thanks for the help.

 
 
 

Cisco VPN client through PF

Post by erik » Sun, 02 Feb 2003 06:35:51



> I have posted about this before, but have had little success. I also
> realize there are a few previous posts that are similar, however none of
> them really address my situation.

> Configuration:
> I am running a Cisco VPN client for Windows, with Transparent Tunnelling
> enabled, IPSec over TCP port 10000.
> My firewall is OpenBSD 3.2.
> I have NAT enabled within PF (so the VPN client is being NAT'd).

> What I have tried:
> I have experimented with redirecting TCP/UDP port 10000 and 500 to the
> host that is running the VPN client. I have tried both with "keep state"
> and without, scrubbing and no scrubbing. Nothing works - the VPN client
> will connect and authenticate, and I can even reach other hosts on the
> VPN, but it drops out after a few minutes or after I send a certain
> amount of traffic over the VPN.

> Possibly useful information:
> The client works just fine behind a Linux machine running iptables with
> SNAT.
> I noticed in my pflog that some packets are being blocked on their way
> out because they have a non-routable address (10.whatever). This
> surprises me, as the VPN client is obviously not generating packets
> whose outermost IP header has a non-routable address (OK not obviously
> but I have verified) - so how is PF seeing this? More importantly, if I
> allow PF to route 10.x addresses, the client still does not function.

> Thanks for the help.

So, _which_ packets are being blocked? My guess is that you do not permit
esp to pass the firewall. Open up 500/udp and proto esp. That should work.

EJ
--
Remove the obvious part (including the dot) for my email address

 
 
 

Cisco VPN client through PF

Post by Ch3w3 » Sun, 02 Feb 2003 10:13:35


Actually, I did already try specifically letting esp and ah through - I
just forgot to mention it.  Oops.

The thing is, that shouldn't make a difference because the VPN client is
tunneling the IPSec through TCP so PF _should_ just see a plain old IP
packet with the address of the VPN server. In order for PF to see that
I'm using IPSec, it would have to unwrap the first TCP/IP layer of the
packet and "look inside", which it has no reason or authority to do.

I don't know specifically which packets are being blocked. On the client
side, right before the connection drops, the client will start dropping
tons of packets. On the PF side, I noticed those entries in pflog, but
that's it. I haven't been able to correlate them to any particular instance.



>>I have posted about this before, but have had little success. I also
>>realize there are a few previous posts that are similar, however none of
>>them really address my situation.

>>Configuration:
>>I am running a Cisco VPN client for Windows, with Transparent Tunnelling
>>enabled, IPSec over TCP port 10000.
>>My firewall is OpenBSD 3.2.
>>I have NAT enabled within PF (so the VPN client is being NAT'd).

>>What I have tried:
>>I have experimented with redirecting TCP/UDP port 10000 and 500 to the
>>host that is running the VPN client. I have tried both with "keep state"
>>and without, scrubbing and no scrubbing. Nothing works - the VPN client
>>will connect and authenticate, and I can even reach other hosts on the
>>VPN, but it drops out after a few minutes or after I send a certain
>>amount of traffic over the VPN.

>>Possibly useful information:
>>The client works just fine behind a Linux machine running iptables with
>>SNAT.
>>I noticed in my pflog that some packets are being blocked on their way
>>out because they have a non-routable address (10.whatever). This
>>surprises me, as the VPN client is obviously not generating packets
>>whose outermost IP header has a non-routable address (OK not obviously
>>but I have verified) - so how is PF seeing this? More importantly, if I
>>allow PF to route 10.x addresses, the client still does not function.

>>Thanks for the help.

> So, _which_ packets are being blocked? My guess is that you do not permit
> esp to pass the firewall. Open up 500/udp and proto esp. That should work.

> EJ

 
 
 

1. Cisco VPN Client through pf-based firewall

Running OBSD 3.0 with latest patches.

System is a firewall with 3 interfaces, Internal, DMZ and External.

External and DMZ each have public addresses (x.x.x.x/29)

The firewall performs NAT, assigning all outbound traffic from the Internal
net (10.10.10.0) the address assigned to the external NIC - let's call it
200.200.200.2 (200.200.200.1 is my ISPs router)

My boss' laptop has the Cisco VPN client (not sure of the version -
relatively new, tho - it runs Win2K Professional) which he needs to connect
to an External PIX at 100.100.100.100

In order to make it work, I've had to assign an alias to my external card of
200.200.200.3 and setup a nat rule that will translate his laptops address
only where the destination is 100.100.100.100.  I also had to allow :

<set appropriate variables>

block out on $ext_if all
block in on $ext_if all
block out on $dmz_if all
block in on $dmz_if all
block return-rst out on $ext_if proto tcp all
block return-rst in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp in on $ext_if proto udp all

pass in quick on lo0 all
pass out quick on lo0 all

block in quick on $ext_if from any to 255.255.255.255

block in quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12,\
       192.168.0.0/16, 255.255.255.255/32 } to any

pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out quick on $dmz_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto icmp from any to $dmz_net icmp-type 8 \
code 0 keep state

# UDP - Initiated internally - outbound using ext_if due to nat

pass out quick on $ext_if proto udp from $ext_if to any keep state
pass out quick on $dmz_if proto udp from $int_net to $dmz_net keep state

# TCP - Initiated internally - outbound using ext_if due to nat

pass out quick on $ext_if proto tcp from $ext_if to any modulate state
pass out quick on $dmz_if proto tcp from $int_net to $dmz_net modulate state

# Allow the boss' vpn

pass in quick on $ext_if proto esp from 100.100.100.100 to any keep state
pass out quick on $ext_if proto esp from any to 100.100.100.100 keep state
pass in quick on $ext_if proto udp from 100.100.100.100 to any port 500 \
keep  state

# Additional pass rules snipped

For one thing, I had to set my outbound to allow from the external
interface, due to nat - is this the way it should be?

Second, is this the best way to get his vpn client working?  It seems
kludgey and that there should be a better way - I'm just not seeing what it
is.

Thanks
Steve

2. HELP! setup freezes at supplemental disk

3. Linux vpn & cisco vpn client

4. How the change the sendmail.cf for sorting mails ?

5. VPN Tunnel; PIX -> Cisco VPN Client for Solaris 3.5

6. Newsreader

7. Contivity VPN client behind PF firewall/nat

8. Help with serial install on RS/6000 E30

9. VPN from Win98 Client thru IPCHAINS+IPMASQ firewall

10. Win 2K VPN client thru IPSEC Masq...

11. Help -> VPN client thru kernel 2.4.10 MASQ?

12. Newbie Help -> VPN client thru kernel 2.4.10 MASQ?

13. Cisco VPN Client