Suresh Myneni wrote:
Hopefully someone will be able to help me with a vpn client
connectivity problem . Using Contivity VPN client on windows 2k going
through OpenBSD 3.7 PF/NAT
I have three workstations behind the firewall using private IPs. The
internet usage is fine on all the machines. But when I use Contivity
VPN client through NAT on a single machine to connect to the remote
site, I am able to connect fine. When I use the second machine to
connect to the remote site using the VPN client, the VPN client fails
in the last stage of establishing the connection. It gives me a
message "Checking for banner text from x.x.x.x" and then disconnects.
The first machine I use to connect to the client's VPN server is
working fine. When the first VPN connection is active, and when I try
to connect the second machine, it is not able to connect to the
VPN server.
Is it something to do with the traffic routing in the private network
between the client machines and the router?? Please advise.
Here is my ruleset.
# Define useful variables
ExtIF="fxp0" # External Interface
NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12 }"
# Clean up fragmented and abnormal packets
scrub in all
#nat goes here now
nat on $ExtIF from 192.168.1.1/24 to any -> $ExtIF
# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
# block various nmap shyte
block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in quick on $ExtIF inet proto tcp from any to any flags P
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all
# Allow isakmp
pass in quick on $ExtIF inet proto udp from any to any port = 500
pass in quick on $ExtIF inet proto esp from any to any
# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
# ALSO ALLOW isakmp outgoing
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp from any to any port = 500
pass out on $ExtIF inet proto esp from any to any
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
Am I missing something? I am new to OpenBSD. I was very hopeful of
building a firewall that I could use with my small office setup that
connects to a client site via VPN.I picked up the above ruleset from
internet. If someone can suggest better ruleset, that would be great
also.
Please help.
Thanks
Suresh
Hi Suresh,
I have successfully used the Contivity VPN client through an OpenBSD
firewall - here is the part from my pf.conf relvant to the Contivity VPN
client:
vpn_ip = "{ xxx.yyy.zzz.10, xxx.yyy.zzz.11 }"
vpn = "{ udp, icmp, esp }"
# VPN Traffic
pass out quick log on $ext_if inet proto $vpn from any to $vpn_ip \
keep state
pass in log on $ext_if inet proto $vpn from $vpn_ip to any keep state
pass in quick on $ext_if inet proto udp from $vpn_ip to any port 500 \
keep state
HTH
Fred
