Help Enabling Cisco VPN Client Traffic on PF

[EverydayDiesel]

At home I use cisco vpn client to remote into work. Can anyone PLEASE help me enable this type of traffic in PF?

Help is greatly appreciated.

http://www.cisco.com/en/US/products/...308/index.html

Thanks

Code:

EXT="pppoe0"
INT="re1"

INT_NET="{ 192.168.0.0/24 }"

TCP_PORTS = "{ www ssh }"
UDP_PORTS = 'domain'

set block-policy drop
set skip on lo0

nat on $EXT from $INT_NET -> ($EXT:0)
match on pppoe0 scrub (reassemble tcp max-mss 1440) 

block log all

pass out on $EXT tagged OK  

pass in on $INT inet proto tcp from $INT_NET to any port $TCP_PORTS tag OUT_OK 
pass in on $INT inet proto udp from $INT_NET to any port $UDP_PORTS tag OUT_OK

[jggimi]

The Cisco VPN client uses IPSec. The protocols used with IPSec are UDP, AH, and ESP, Likely, however, only ESP and UDP will be utilized in this particular VPN solution.

You will need to add a pass inbound for ESP traffic. ESP doesn't use ports, so it's syntax will not include port numbers. Passing the traffic inbound and outbound will be required. Your client will initiate the connection, so PF's stateful tracking should route the traffic to your workstation appropriately.

The UDP protocol is used for key exchange and key management. UDP port 500 is the primary port for key exchanges, port 4500 is used for NAT Traversal which may be required -- these should be passed as well, however, stateful processing should manage that if your client initiates the connection.

Your OpenBSD ipsec(4) man page may be helpful to you.

[jggimi]

I'm not sure I was sufficiently clear, so I'll try to add more information.

Per your pf.conf, all outbound traffic is currently permitted, regardless of source. But traffic inbound is only permitted on the internal network for a limited set of UDP and TCP destination ports. No inbound traffic from the external interface is permitted, unless applicable to an existing state.

• ESP needs to be passed, both directions. At the moment, it's not permitted at all.
• UDP destination ports 500 and 4500 need to be passed in both directions

While I'm not sure what NAT traversal techniques might be needed other than merely having destination port 4500 open in both directions...it's my belief (without testing) that you won't need more than that.

[EverydayDiesel]

Thanks for the reply

I enabled ESP, UDP and AH but i still was not able to connect. (If I bypass openbsd it works fine)

I am not sure what else to do.

EDIT: I just saw where you can monitor the firewall activity with

Code:

tcpdump -n -e -ttt -i pflog0

so I will do that when I get home

[jggimi]

You did not post your revised pf.conf.

Do you have rdr-to rule(s) to redirect the incoming UDP traffic with destination UDP ports 500 and 4500 to your workstation running the Cisco VPN client?

Are you passing traffic using protocols ESP and AH?

http://en.wikipedia.org/wiki/NAT_tra...rsal_and_IPsec

[jggimi]

Let me revise that - NAT Traversal, in the most common implementation (NAT-T), encapsulates the IPSec traffic within UDP. Passing ESP/AH traffic might not be necessary.