Your vpn software must support nat-traversal (NAT-T) to work behind nat.
HJ.
On Mon, May 30, 2005 at 12:16:02PM +0530, Suresh Myneni wrote:
> Hopefully someone will be able to help me with a vpn client
> connectivity problem . Using Contivity VPN client on windows 2k going
> through OpenBSD 3.7 PF/NAT
>
> I have three workstations behind the firewall using private IPs. The
> internet usage is fine on all the machines. But when I use Contivity
> VPN client through NAT on a single machine to connect to the remote
> site, I am able to connect fine. When I use the second machine to
> connect to the remote site using the VPN client, the VPN client fails
> in the last stage of establishing the connection. It gives me a
> message "Checking for banner text from x.x.x.x" and then disconnects.
>
> The first machine I use to connect to the client's VPN server is
> working fine. When the first VPN connection is active, and when I try
> to connect the second machine, it is not able to connect to the
> VPN server.
> Is it something to do with the traffic routing in the private network
> between the client machines and the router?? Please advise.
>
> Here is my ruleset.
> # Define useful variables
> ExtIF="fxp0" # External Interface
> NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12 }"
>
> # Clean up fragmented and abnormal packets
> scrub in all
>
> #nat goes here now
> nat on $ExtIF from 192.168.1.1/24 to any -> $ExtIF
>
> # don't allow anyone to spoof non-routeable addresses
> block in quick on $ExtIF from $NoRouteIPs to any
> block out quick on $ExtIF from any to $NoRouteIPs
>
> # block various nmap shyte
> block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
> block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
> block in quick on $ExtIF inet proto tcp from any to any flags /SFRA
> block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA
> block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
> block in quick on $ExtIF inet proto tcp from any to any flags P
>
> # by default, block all incoming packets, except those explicitly
> # allowed by further rules
> block in on $ExtIF all
>
> # Allow isakmp
> pass in quick on $ExtIF inet proto udp from any to any port = 500
> pass in quick on $ExtIF inet proto esp from any to any
>
> # and let out-going traffic out and maintain state on established connections
> # pass out all protocols, including TCP, UDP and ICMP, and create state,
> # so that external DNS servers can reply to our own DNS requests (UDP).
> # ALSO ALLOW isakmp outgoing
> block out on $ExtIF all
> pass out on $ExtIF inet proto tcp all flags S/SA keep state
> pass out on $ExtIF inet proto udp from any to any port = 500
> pass out on $ExtIF inet proto esp from any to any
> pass out on $ExtIF inet proto udp all keep state
> pass out on $ExtIF inet proto icmp all keep state
>
> Am I missing something? I am new to OpenBSD. I was very hopeful of
> building a firewall that I could use with my small office setup that
> connects to a client site via VPN.I picked up the above ruleset from
> internet. If someone can suggest better ruleset, that would be great
> also.
> Please help.
> Thanks
> Suresh
>
--
pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer
<[EMAIL PROTECTED]>
Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9
