Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-11-18 Thread Chris 
I banged my head on this for a while before I realized our network admin 
probably had the Cisco PIX VPN config to only work with UDP, not TCP.  
Our default config is to use UDP, but that didn't work for me on pfsense 
v.86.  After I read the e-mail below I stopped trying to connect over 
UDP. (Stupid me.  I'm a sysadmin, not a netadmin.)  While I was typing 
up the please help me e-mail I realized that TCP was not configured at 
the endpoint in the office, and for giggles I tried UDP.  I was amazed 
at how fast it connected.  It worked with IPSec Passthrough disabled and 
enabled.


This was killing me because pfsense was noticeably faster than my old 
LinkSys, but VPN had to work so I could connect to my office.



Thanks for a fast and easy firewall!

Chris


stephan schneider wrote:


 i am trying to get a (NATed) connection to an external VPN using
  the cisco vpn client. Unfortunately it just doesn't work -
  no connection. I added the port 500 (isakmp) and allowed ESP to pass
  the firewall. But I think there's more to do to get NAT-Traversal
  to work  :-(

Got the solution.

In the vpn client connection configuration you have to choose
IPSec over TCP and of course Enable Transparent Tunnel.


No custom rules, no IPSec passthru (that's a different approach),
no custom nat rules (only the default: nat all lan) are needed.


Thanks Bill!
Have a nice day.
Stefan.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-11-18 Thread Chris 
It did not work with IPSec Passthrough disabled.  I must have tested too 
quickly after disabling it.  I tried again an hour later and I could not 
connect to the office.  I enabled passthrough and I was fine.


Sorry for any confusion.


Chris wrote:

I banged my head on this for a while before I realized our network 
admin probably had the Cisco PIX VPN config to only work with UDP, not 
TCP.  Our default config is to use UDP, but that didn't work for me on 
pfsense v.86.  After I read the e-mail below I stopped trying to 
connect over UDP. (Stupid me.  I'm a sysadmin, not a netadmin.)  While 
I was typing up the please help me e-mail I realized that TCP was 
not configured at the endpoint in the office, and for giggles I tried 
UDP.  I was amazed at how fast it connected.  It worked with IPSec 
Passthrough disabled and enabled.


This was killing me because pfsense was noticeably faster than my old 
LinkSys, but VPN had to work so I could connect to my office.



Thanks for a fast and easy firewall!

Chris


stephan schneider wrote:


 i am trying to get a (NATed) connection to an external VPN using
  the cisco vpn client. Unfortunately it just doesn't work -
  no connection. I added the port 500 (isakmp) and allowed ESP to pass
  the firewall. But I think there's more to do to get NAT-Traversal
  to work  :-(

Got the solution.

In the vpn client connection configuration you have to choose
IPSec over TCP and of course Enable Transparent Tunnel.


No custom rules, no IPSec passthru (that's a different approach),
no custom nat rules (only the default: nat all lan) are needed.


Thanks Bill!
Have a nice day.
Stefan.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-10-18 Thread Tommaso Di Donato 
On 10/16/05, stephan schneider [EMAIL PROTECTED] wrote:
Got the solution.In the vpn client connection configuration you have to chooseIPSec over TCP and of course Enable Transparent Tunnel.No custom rules, no IPSec passthru (that's a different approach),
no custom nat rules (only the default: nat all lan) are needed.
Mmmh, sounds very strange.. IPsec NAT-T usually is achieved as IPsec over UDP..
(http://wiki.openswan.org/index.php/Firewalls)
...and from what I know, Cisco VPN is using exaclty this.

What kind of implementation is currently used? 

Please, could someone check if pfSense is really encapsulating over 4500/UDP, or smthg different?
TIA

Tom

Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-10-18 Thread Tommaso Di Donato 
On 10/18/05, Bill Marquette [EMAIL PROTECTED] wrote:
On 10/18/05, Tommaso Di Donato [EMAIL PROTECTED] wrote:Mmmh, sounds very strange..IPsec NAT-T usually is achieved as IPsec over UDP..
(http://wiki.openswan.org/index.php/Firewalls)...and from what I know, Cisco VPN is using exaclty this.What kind of implementation is currently used?
Please, could someone check if pfSense is really encapsulating over 4500/UDP, or smthg different?pfSense isn't encapsulating anything, that's the job of the client.In this case it sounds like the client needed some extra config to do
NAT-T correctly.
Maybe I explained myself not very well: ipsec natively do not permit to
bypass NAT gateway. So few solutions have been adopted, uone of them is
NAT-T (that is, ipsec over UDP). I do not mean that it is pfsense that
must do this: generally it is the OS ipsec implementation that takes it
into account (during the very fist exchanges between the thwo parties,
and so on).
I only would like to know if racoon (I think racoon is the one that
manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT
limitation...

Sorry
Tom

Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-10-18 Thread Chris Buechler 

Tommaso Di Donato wrote:

Maybe I explained myself not very well: ipsec natively do not permit 
to bypass NAT gateway. So few solutions have been adopted, uone of 
them is NAT-T (that is, ipsec over UDP). I do not mean that it is 
pfsense that must do this: generally it is the OS ipsec implementation 
that takes it into account (during the very fist exchanges between the 
thwo parties, and so on).
I only would like to know if racoon (I think racoon is the one that 
manage ipsec VPNs) uses NAT-T or another mechanism for bypassing NAT 
limitation...




In the case of VPN's that are terminated on pfsense boxes, it is racoon, 
and very recently a kernel patch was added to test NAT-T support with 
ipsec-tools.  I'm not sure if it's even made it into a public release 
yet.  It'll be there soon if not, but needs testing. 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-10-18 Thread Tommaso Di Donato 
On 10/18/05, Chris Buechler [EMAIL PROTECTED] wrote:
In the case of VPN's that are terminated on pfsense boxes, it is racoon,and very recently a kernel patch was added to test NAT-T support withipsec-tools.I'm not sure if it's even made it into a public release
yet.It'll be there soon if not, but needs testing.
Thank you very much.
If you like, I will try to do some tests (not now, but in the near future), and will share my results.

Tom

Re: [pfSense Support] VPN NAT Traversal

2005-10-16 Thread stephan schneider 


I forgot
FirewallNATOutbound:  Enable IPSec passthru is enabled  - don't know
if that option has an influence on the problem

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] VPN NAT Traversal

2005-10-16 Thread Bill Marquette 
On 10/16/05, stephan schneider [EMAIL PROTECTED] wrote:
 Hello Folks,

 i am trying to get a (NATed) connection to an external VPN using
 the cisco vpn client. Unfortunately it just doesn't work -
 no connection. I added the port 500 (isakmp) and allowed ESP to pass
 the firewall. But I think there's more to do to get NAT-Traversal
 to work :-(

 According to
 http://kerneltrap.org/node/2948
 it is necessary to set up the rule:
 nat on $ext_if inet proto { tcp, udp } from $internal port = 500 to any
 - ($ext_if:0) port 500

 How can this rule be set using the GUI?

This is enabled by default unless you use advanced outbound NAT.
Make sure:
Firewall-NAT-Outbound:  Enable IPSec passthru
is checked.

 I am using pfsense-0.86.4.

Should be working in 0.86.4, I did introduce a bug a version or two
back that broke IPSec passthru, but I believe the fix for that made it
into 86.4 (hard to say, my boxes are usually running some Frankenstein
version).  If you send in your /tmp/rules.debug, I'd be willing to
take a quick peek and make sure the NAT rule is correct.

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Solution: Re: [pfSense Support] VPN NAT Traversal (CISCO VPN Client)

2005-10-16 Thread stephan schneider 

 i am trying to get a (NATed) connection to an external VPN using
  the cisco vpn client. Unfortunately it just doesn't work -
  no connection. I added the port 500 (isakmp) and allowed ESP to pass
  the firewall. But I think there's more to do to get NAT-Traversal
  to work  :-(

Got the solution.

In the vpn client connection configuration you have to choose
IPSec over TCP and of course Enable Transparent Tunnel.


No custom rules, no IPSec passthru (that's a different approach),
no custom nat rules (only the default: nat all lan) are needed.


Thanks Bill!
Have a nice day.
Stefan.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]