Hans-Joerg Hoexer wrote:
> what ipsec software is running on the clients? What does your
> ipsec.conf on the firewall look like?
>
> On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
>> Hoping someone can point me in the right direction to get isakmpd working.
>>
>> The scenario:
>> - the router drops all traffic directed to it from the dmz net
>> - the router drops all traffic destined for the lan from the dmz
>> - the router drops all traffic destined for the dmz from the lan
>> - vlan1 (dmz) has linux hosts
>> - vlan2 (lan) has windows and linux hosts, for the purpose of this
>> exercise, I am using a windows host
>>
>> The goals:
>> - create a way by which hosts in the lan can connect to the dmz network
>> using ipsec/isakmpd
>> - starting off with simple auth, shared secret passphrase
>>
>> The problem:
>> - I am unable to establish a SA between the router and the lan hosts
>> isakmpd returns the following:
>> 155359.461787 Default message_recv: cleartext phase 2 message
>> 155359.462366 Default dropped message from 10.107.208.20 port 500 due to
>> notification type INVALID_FLAGS
>>
>> Some background Info:
>>
>> My network is as follows:
>> (trunking is next on my list, but for now, I have separate interfaces on
>> the router for each vlan)
>>
>> |
>> Internet (dynamic ip)
>> |1.1.1.2
>> +------------------------+
>> | router/fw/isakmpd |
>> +------------------------+
>> 10.180.16.1 | |10.107.208.1
>> dmz | | lan
>> +--------+ +--------+
>> | |
>> +-----------------------------+
>> | switch |
>> | vlan1 | vlan2 |
>> +-----------------------------+
>> | |
>> | |
>> +---------------+ +-------------------+
>> | www server | | workstation 1 +
>> | 10.180.16.250 | | 10.107.208.20 +
>> +---------------+ +-------------------+
>>
>
I have the ipsec working between the two networks, but I wanted to get a
sanity check on my pf.conf. I could not find any examples of the
ipsec/enc rules that used tagging for policy enforcement and wanted to
make sure there are no issues with doing so.
##################################################################
# MACROS
# interfaces
if_lo= "lo0"
if_ext= "hme0"
if_int= "hme1"
if_dmz= "hme2"
if_von= "hme3"
if_enc= "enc0"
# interface ip's
ip_ext= "x.x.x.x"
ip_int= "10.107.208.1"
ip_dmz= "10.180.16.1"
ip_von= "10.180.17.1"
# interface networks
net_int= "10.107.208.0/24"
net_dmz= "10.180.16.0/24"
net_von= "10.180.17.0/24"
# DMZ Host 1
ip_dmzhost1= "10.180.16.250"
proto_in_inet_tcp_dmzhost1= "{ 443 }"
proto_in_inet_udp_dmzhost1= ""
proto_in_inet_icmp_dmzhost1= ""
####################################################################
# TABLES
####################################################################
# OPTIONS
set block-policy drop
set loginterface $if_ext
set require-order yes
set optimization normal
set state-policy if-bound
set skip on {$if_lo }
set debug none
####################################################################
# NORMALIZATION
scrub all reassemble tcp random-id fragment reassemble no-df\
min-ttl 24 max-mss 1460
####################################################################
# QUEUEING
####################################################################
# TRANSLATION
nat on $if_ext inet tag INT_NAT tagged LAN_INET -> ($if_ext)
nat on $if_ext inet tag DMZ_NAT tagged DMZ_INET -> ($if_ext)
nat on $if_ext inet tag VON_NAT tagged VON_INET -> ($if_ext)
nat-anchor "ftp-proxy/*"
####################################################################
# REDIRECTION
# External access to DMZ
rdr on $if_ext inet proto tcp from any to port 443 tag\
TAG_HTTPS -> $ip_dmzhost1 port 443
# FTP Proxy
rdr-anchor "ftp-proxy/*"
####################################################################
# PACKET FILTERING
# implicit first rule
block log all
anchor "ftp-proxy/*"
# MISC: silently drop broadcasts (cable modem noise)
block in quick on $if_ext from any to {255.255.255.255,\
0.0.0.0}
# ANTISPOOFING
antispoof log quick for $if_ext inet
# HOST: ROUTER
# allowable incoming traffic
pass in on $if_int from $net_int tag LAN_INET keep state
pass in on $if_dmz from $net_dmz tag DMZ_INET keep state
pass in on $if_von from $net_von tag VON_INET keep state
# allow incoming traffic to dmz
pass in on $if_ext tagged TAG_HTTPS keep state
# allow router access to internet
pass out on $if_ext from ($if_ext) to any tag RTR_INET
# ipsec access for LAN-to-DMZ
# Passing in encrypted traffic from security gateways
pass in on $if_int proto esp from $net_int to $ip_int\
keep state
pass out on $if_int proto esp from $ip_int to $net_int\
keep state
# Need to allow ipencap traffic on enc0.
pass in on $if_enc proto ipencap all keep state
# Passing in traffic from the designated subnets.
# (only allow traffic into dmz, prevent tunnel in)
pass in on $if_enc from $net_int to $net_dmz tag VPN_INT\
keep state
#pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET
# Passing in isakmpd(8) traffic from the security gateways
pass in on $if_int proto udp from $net_int to $ip_int\
port isakmp keep state
pass out on $if_int proto udp from $ip_int to $net_int\
port isakmp keep state
# policy enforcement
pass out on $if_ext inet proto tcp tagged RTR_INET modulate\
state flags S/SA
pass out on $if_ext inet proto udp tagged RTR_INET keep state
pass out on $if_ext inet proto tcp tagged INT_NAT modulate\
state flags S/SA
pass out on $if_ext inet proto udp tagged INT_NAT keep state
pass out on $if_ext inet proto tcp tagged DMZ_NAT modulate\
state flags S/SA
pass out on $if_ext inet proto udp tagged DMZ_NAT keep state
pass out on $if_ext inet proto tcp tagged VON_NAT modulate\
state flags S/SA
pass out on $if_ext inet proto udp tagged VON_NAT keep state
pass out on $if_dmz inet proto tcp tagged VPN_INT modulate\
state flags S/SA
pass out on $if_dmz inet proto udp tagged VPN_INT keep state
pass out on $if_dmz inet proto tcp tagged TAG_HTTPS modulate\
state flags S/SA
Thanks,
Axton Grams
