Forgive me in advance if I miss something crucial. And sorry if this is too long winded.
I have since 3.2-release been having trouble maintaining a VPN client connection (cisco client/cisco concentrator) when connected from my windoze laptop through my OpenBSD firewall at home to work. My firewall connects to an adsl modem. I have two nics on the firewall, one for external traffic, one for my lan. All nics on the firewall are Linksys Etherlink LNE 100TX. I have a single public static IP address.
Certain operations/applications are fine for a period of time and others seem to freeze things up quickly when connected to work over the VPN. Ultimately I am unable to ping the concentrator or any hosts on my work LAN. I can ping and access all local LAN resources. I can ssh over to the firewall and it can ping the concentrator. If I look at the memory, network and disk utilization during this the firewall is like 99.8 percent idle.
In particular, we use Perforce as our source code repository. I can reliably bring things down with a p4 sync. It seems to pull about 5-6 files and then the whole thing stalls. For example, in one test I made an ssh connection to one of our hosts at work and started a continuous ping (in the cygwin window) to another host. I did a a p4 sync and everything stopped in the cygwin window as well as the command window where I was doing the perforce sync. Eventually my VPN connection seems to time out. If I disconnect, I can again ping the VPN concentrator.
Troubleshooting tried:
1. Laptop outside the OpenBSD firewall connects fine to vpn concentrator with vpn client and p4 sync doesn't kill any connectivity.
2. Someone suggested turning off the media option full-duplex on the nics on the firewall. I tried this and it didn't make any difference.
3. Someone else suggested using the Cisco Set MTU utility to drop the MTU down to 576. I did this and verified that it was this low by trying to ping with packets of a greater size with the don't fragment ping command line option. This did not seem to help things.
4. I have tried scrub in all, scrub in all no-df, scrub in and out (with and without no-df), no scrub directives at all. This doesn't seem to make a difference for my testing of this problem.
5. I added keep-state on all my pass rules.
6. I added log on all my block rules.
7. Ultimately I enabled debug logging with pfctl -gxm and have pasted a 'sanitzed' snippet from /var/log/messages. There are a lot of "BAD state" messages.
I have also captured several ethereal packet captures. I would be happy to send to anyone if what i have here is not helpful enough.
I have read through the mailing list archives and read anecdotal evidence of people getting things working but everything I have tried has failed or nothing I have read conclusively says this is the exact setup you want. Except, a couple days ago I read a reply to a message on [EMAIL PROTECTED] which was thanking someone for suggesting to changing the Transparent Tunnelling setting in the cisco client from "Use IPSec over TCP (NAT/PAT/Firewall)" to "Allow IPSec over UDP (NAT/PAT)."
I did this, and everything that was giving me troubles is working great. This puzzles me and is why I am posting. Is there something about tunnelling IPSec through pf that breaks things? For me, it is very reproducable and I would be greatful if anyone would be interested in suggesting additional tests for me to perform. I would be happy to clean up my pf.conf and collect this again if it would help. Like I said, I am at 3.3-stable.
Please find previously mentioned snippet from /var/log/messages and my pf.conf.
Regards and thanks for reading this far, scott rankin
...
'sanitized': 192.168.2.2 is my laptops internal IP address, my.ip.addr.ess is my static IP from my ISP, and vpn.cx.ip.addr is the IP address of the Cisco concentrator I connect to at work. boing is the hostname for my OpenBSD box.
Jul 10 14:13:13 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61441103 ack=16849039 len=628 ackskew=508 pkts=496 dir=in,rev
Jul 10 14:13:13 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:13 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61441731 ack=16849131 len=628 ackskew=416 pkts=497 dir=in,rev
Jul 10 14:13:13 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:13 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61442359 ack=16849131 len=628 ackskew=416 pkts=498 dir=in,rev
Jul 10 14:13:13 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:13 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61442987 ack=16849231 len=628 ackskew=316 pkts=499 dir=in,rev
Jul 10 14:13:13 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:13 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61443615 ack=16849331 len=628 ackskew=216 pkts=500 dir=in,rev
Jul 10 14:13:13 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:13 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61444243 ack=16849439 len=628 ackskew=108 pkts=501 dir=in,rev
Jul 10 14:13:13 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:14 boing /bsd: pf: BAD state: TCP 192.168.2.2:1960 my.ip.addr.ess:1960 vpn.cx.ip.addr:10000 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=61444871 ack=16849547 len=628 ackskew=0 pkts=502 dir=in,rev
Jul 10 14:13:14 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:19 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16850195 ack=61396987 len=284 ackskew=0 pkts=431 dir=in,fwd
Jul 10 14:13:19 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:26 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16850479 ack=61396987 len=108 ackskew=0 pkts=432 dir=in,fwd
Jul 10 14:13:26 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:32 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16850587 ack=61396987 len=108 ackskew=0 pkts=433 dir=in,fwd
Jul 10 14:13:32 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:35 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16850695 ack=61396987 len=108 ackskew=0 pkts=434 dir=in,fwd
Jul 10 14:13:35 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:36 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16850803 ack=61396987 len=108 ackskew=0 pkts=435 dir=in,fwd
Jul 10 14:13:36 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:37 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16850911 ack=61396987 len=108 ackskew=0 pkts=436 dir=in,fwd
Jul 10 14:13:37 boing /bsd: pf: State failure on: 1 |
Jul 10 14:13:37 boing /bsd: pf: BAD state: TCP vpn.cx.ip.addr:10000 vpn.cx.ip.addr:10000 192.168.2.2:1960 [lo=16849547 high=16849823 win=4096 modulator=0] [lo=61396987 high=61397315 win=4096 modulator=0] 4:4 A seq=16851019 ack=61396987 len=108 ackskew=0 pkts=437 dir=in,fwd
Jul 10 14:13:37 boing /bsd: pf: State failure on: 1 |
# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Last modified: 7/14/03 - scott #
# Macros: define common values, so they can be referenced and changed easily.
ext_if="dc0"
int_if="dc1"
internal_net="192.168.2.0/24" external_addr="my.ip.addr.ess" vpn_client_addr="192.168.2.2" vpn_addr="vpn.cx.ip.addr"
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 30, frag 10 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set limit { states 10000, frags 5000 }
#set loginterface none
set loginterface $ext_if
#set optimization normal
#set block-policy drop
#set require-order yes# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
binat on $ext_if from $vpn_client_addr to $vpn_addr -> $external_addr
nat on $ext_if from $internal_net to !$vpn_addr -> ($ext_if)
# Filtering: the implicit first two rules are #pass in all #pass out all block in log all block out log all
# quick blocks block out quick on $ext_if from ! $ext_if block in quick on $ext_if to ! $ext_if
# quick pass # don't filter the loopback pass in quick on lo0 all pass out quick on lo0 all
# pass the vpn stuff...
pass in quick on $ext_if inet proto tcp from $vpn_addr port 10000 to any keep state
pass in quick on $ext_if inet proto udp from $vpn_addr port 500 to any keep state
pass in quick on $ext_if inet proto esp from $vpn_addr to any keep state
pass out quick on $ext_if inet proto udp from any to $vpn_addr port 500 keep state
pass out quick on $ext_if inet proto tcp from any to $vpn_addr port 10000 keep state
pass out quick on $ext_if inet proto esp from any to $vpn_addr keep state
# pass all outgoing tcp and udp # connections and keep state. # internal LAN pass in quick on $int_if from any to any keep state pass out quick on $int_if from any to any keep state
# external if
pass out on $ext_if proto { tcp, udp, esp, icmp } all keep state_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
