I am having problems with IPFilter and NAT-T traffic. Things start out as expected, the IKE starts on 500/udp, figures out that one end is behind NAT and switches to 4500/udp. The IKE negotiations proceed normally. But then the encapsulated ESP over 4500/udp gets stopped by the firewall.
The initial 4500/udp traffic is matching a rule like, pass out quick on vr0 proto udp from any to any keep state keep frags And I see it in ipfstat -t output, Source IP Destination IP ST PR #pkts #bytes ttl 192.168.129.1,4500 <redacted>.232,4500 0/0 udp 105 19464 1:57 But the firewall is blocking the encapsulated ESP, Aug 27 22:39:47 <local0.warn> net5501 ipmon[888]: 22:39:46.341338 vr0 @0:7 b <redacted>.232,4500 -> 192.168.129.1,4500 PR udp len 20 144 IN bad NAT Aug 27 22:39:48 <local0.warn> net5501 ipmon[888]: 22:39:47.339995 vr0 @0:7 b <redacted>.232,4500 -> 192.168.129.1,4500 PR udp len 20 144 IN bad NAT Aug 27 22:39:49 <local0.warn> net5501 ipmon[888]: 22:39:48.341286 vr0 @0:7 b <redacted>.232,4500 -> 192.168.129.1,4500 PR udp len 20 144 IN bad NAT However, if I add a rule, echo '@10 pass in quick proto udp from <redacted>.232/32 port = 4500 to 192.168.129.0/24 group 2000' | ipf -f- The traffic matches that rule and passes through the firewall. But this traffic should have matched the stateful rule. As we can see, ipnat knows what to do with it and handles it just fine. What I think is going on has to do with UDP checksums. The IKE traffic over 4500/udp has UDP checksums. The encapsulated ESP traffic over 4500/udp does not (the cksum field is 0000). I'm not sure what's going on here. I haven't dug through the source code yet. My first guess would be that ipnat would kick in thinking it had to fix up the UDP checksums, and end up putting in bogus checksums when the zero-sum packets start coming. But that doesn't match the fact that if I add that additional rule, things work. If the firewall was messing up in NAT, I would think that things would just break. (period) No rule changes could fix it. I'm not sure what's going on. FreeBSD 7.0-RELEASE. net5501# ipf -V ipf: IP Filter: v4.1.28 (404) Kernel: IP Filter: v4.1.28 Running: yes Log Flags: 0 = none set Default: block all, Logging: available Active list: 0 Feature mask: 0x10e The complete ruleset is long. But if someone wants it, I can send it to the list. The VPN is the Cisco VPN client for Windows 4.0.3(C) going to a Cisco VPN 3000 concentrator. -- Crist J. Clark | [EMAIL PROTECTED]
