Qwest Contivity VPN Client Behind PF
I have a user on my network that needs to use the Qwest Contivity VPN Client to connect to a customers network. I am having trouble getting the PF rules set up correctly to make this happen. Does anyone have any experience getting the Contivity client to successfully connect through PF? Any tips would be appreciated. I currently have the following rules in pf.conf for this particular purpose: pass in quick on $INTIF proto esp from any to x.x.x.x keep state pass in quick on $INTIF proto ah from any to x.x.x.x keep state pass in quick on $INTIF proto udp from any to x.x.x.x port = 500 keep state When I attempt to connect from the client, it simply times out. Any ideas what Im missing? Thanks! Todd Chandler �
Re: Qwest Contivity VPN Client Behind PF
Qwest Contivity? hmm i know of the one from nortel networks. It's basically a layer 4 switch. Describe the setup a little more. Use ASCII art if necessary --Bryan On Fri, 2003-01-31 at 05:43, Todd Chandler wrote: I have a user on my network that needs to use the Qwest Contivity VPN Client to connect to a customers network. I am having trouble getting the PF rules set up correctly to make this happen. Does anyone have any experience getting the Contivity client to successfully connect through PF? Any tips would be appreciated. I currently have the following rules in pf.conf for this particular purpose: pass in quick on $INTIF proto esp from any to x.x.x.x keep state pass in quick on $INTIF proto ah from any to x.x.x.x keep state pass in quick on $INTIF proto udp from any to x.x.x.x port = 500 keep state When I attempt to connect from the client, it simply times out. Any ideas what Im missing? Thanks! Todd Chandler
Re: NAT does not allow for 1-to-1 port ranges?
On Fri, Jan 31, 2003 at 12:43:50PM -0800, Cameron Lerch wrote: nat on ne0 proto udp from 10.0.0.3/32 port 6000 to any - ne0 port 6000 nat on ne0 proto udp from 10.0.0.3/32 port 6001 to any - ne0 port 6001 nat on ne0 proto udp from 10.0.0.3/32 port 6999 to any - ne0 port 6999 Is this possible? With -current, yes: nat on ne0 proto udp from 10.0.0.3 port 59997000 to any \ - ne0 static-port Daniel
