Re: VPN(8) pf settings
On Wed, Sep 13, 2006 at 01:00:42AM -0300, Gustavo Rios wrote: > Dear friends, > > I am starting to learn VPN, and i am very confused with some points. > For instance, concerning firewall rules. > > It is not clear right now, on which interface i should see the > protocol esp, ipencap, ah, etc. I could not figure it out on which > interface, should i filter tcp, udp and application layer traffic like > dns, http, ftp, ftp-data, etc between the both networks i am > connecting ... > > Thanks in advance. vpn(8) has been removed from the tree for a while now. the official place to start reading right now is ipsec.conf(5). a simple section on packet filtering has just been added to that page. read through it. if stuff doesn;t make sense, post your questions here. jmc
Re: VPN(8) pf settings
What about ipencap protocol? Where does it play? On 9/13/06, Robert <[EMAIL PROTECTED]> wrote: Gustavo Rios wrote: > Dear friends, > > I am starting to learn VPN, and i am very confused with some points. > For instance, concerning firewall rules. > > It is not clear right now, on which interface i should see the > protocol esp, ipencap, ah, etc. I could not figure it out on which > interface, should i filter tcp, udp and application layer traffic like > dns, http, ftp, ftp-data, etc between the both networks i am > connecting ... > > Thanks in advance. > > Ok, lets keep it simple. You tunnel your traffic trough ipsec. The packets you want to encrypt go into the enc0 interface. Unencrypted traffic from the other side originates out of it. As you have to get the ipsec onto the network, it has to exit/enter on the physical interface, for example sk0. You have to pass incoming and outgoing ipsec traffic (the encrypted traffic) on the physical interface. pass on sk0 proto esp The actual traffic, the packets you wanted to secure with ipsec, have to be filtered on the enc0 interface. Host1: (unencrypted traffic) <--- tcp,udp,whatever ---> enc0 <--- ipsec-magic ---> sk0 <--- esp ---> :Host2 It's a bit early, hope i didn't confuse you too much. -Robert
Re: VPN(8) pf.conf
On 9/13/06, Kian Mohageri <[EMAIL PROTECTED]> wrote: On 9/12/06, Gustavo Rios <[EMAIL PROTECTED]> wrote: > While reading VPN(8) manual page, i could no figure it out in what > interface context the following line applies: > > # Pass encrypted traffic to/from security gateways > pass in proto esp from $GATEWAY_B to $GATEWAY_A > pass out proto esp from $GATEWAY_A to $GATEWAY_B No interface is specified so it applies to any interface. pf.conf(5) makes that pretty clear. I think i was nosense. If i would like to specify an interface, what would it be? Thanks in advance. Kian
Re: VPN(8) pf.conf
On 9/12/06, Gustavo Rios <[EMAIL PROTECTED]> wrote: > > While reading VPN(8) manual page, i could no figure it out in what > interface context the following line applies: > > # Pass encrypted traffic to/from security gateways > pass in proto esp from $GATEWAY_B to $GATEWAY_A > pass out proto esp from $GATEWAY_A to $GATEWAY_B No interface is specified so it applies to any interface. pf.conf(5) makes that pretty clear. Kian
Re: VPN(8) pf settings
Gustavo Rios wrote: > Dear friends, > > I am starting to learn VPN, and i am very confused with some points. > For instance, concerning firewall rules. > > It is not clear right now, on which interface i should see the > protocol esp, ipencap, ah, etc. I could not figure it out on which > interface, should i filter tcp, udp and application layer traffic like > dns, http, ftp, ftp-data, etc between the both networks i am > connecting ... > > Thanks in advance. > > Ok, lets keep it simple. You tunnel your traffic trough ipsec. The packets you want to encrypt go into the enc0 interface. Unencrypted traffic from the other side originates out of it. As you have to get the ipsec onto the network, it has to exit/enter on the physical interface, for example sk0. You have to pass incoming and outgoing ipsec traffic (the encrypted traffic) on the physical interface. pass on sk0 proto esp The actual traffic, the packets you wanted to secure with ipsec, have to be filtered on the enc0 interface. Host1: (unencrypted traffic) <--- tcp,udp,whatever ---> enc0 <--- ipsec-magic ---> sk0 <--- esp ---> :Host2 It's a bit early, hope i didn't confuse you too much. -Robert
Re: VPN(8) pf settings
Gustavo Rios wrote:
> Dear friends,
>
> I am starting to learn VPN, and i am very confused with some points.
> For instance, concerning firewall rules.
>
> It is not clear right now, on which interface i should see the
> protocol esp, ipencap, ah, etc. I could not figure it out on which
> interface, should i filter tcp, udp and application layer traffic like
> dns, http, ftp, ftp-data, etc between the both networks i am
> connecting ...
>
> Thanks in advance.
>
>
Started learning this myself recently. Many of the examples require a
lot of thinking to straighten out because they do not offer a topology
of the networks the example config files are against.
I have a vpn working where lan machines can access the dmz network.
Clients are XP and the Router is OpenBSD.
The pf.conf was the last trick after getting isakmpd to negotiate the
main and quick mode sa's.
The network is like this:
DMZ Net: 10.180.16/24
LAN Net: 10.107.208/24
The pf.conf reads like this:
# interfaces
if_lo= "lo0"
if_ext= "hme0"
if_int= "hme1"
if_dmz= "hme2"
if_enc= "enc0"
# interface ip's
ip_ext= "x.x.x.x"
ip_int= "10.107.208.1"
ip_dmz= "10.180.16.1"
# interface networks
net_int= "10.107.208.0/24"
net_dmz= "10.180.16.0/24"
# OPTIONS
set block-policy drop
set loginterface $if_ext
set require-order yes
set optimization normal
set state-policy if-bound
set skip on {$if_lo }
set debug none
# NORMALIZATION
scrub all reassemble tcp random-id fragment reassemble \
no-df min-ttl 24 max-mss 1460
# TRANSLATION
nat on $if_ext inet tag INT_NAT tagged LAN_INET -> ($if_ext)
nat on $if_ext inet tag DMZ_NAT tagged DMZ_INET -> ($if_ext)
nat-anchor "ftp-proxy/*"
# REDIRECTION
rdr-anchor "ftp-proxy/*"
# PACKET FILTERING
block log all
anchor "ftp-proxy/*"
antispoof log quick for $if_ext inet
# allowable traffic to outside networks
pass in on $if_int from $net_int to ! tag \
LAN_INET keep state
pass in on $if_dmz from $net_dmz to ! tag \
DMZ_INET keep state
# allowable traffic to router from lan
pass in on $if_int proto udp from $net_int to $ip_int \
port $proto_router_udp_int_in keep state
pass in on $if_int proto tcp from $net_int to $ip_int \
port $proto_router_tcp_int_in modulate state flags S/SA
# allow router access to some external services
pass out on $if_ext from ($if_ext) to any tag RTR_INET
# VPN access for LAN-to-DMZ ipsec
# Passing in encrypted traffic from security gateways
pass in on $if_int proto esp from $net_int to $ip_int \
keep state
pass out on $if_int proto esp from $ip_int to $net_int \
keep state
# Need to allow ipencap traffic on enc0.
pass in on $if_enc proto ipencap all keep state
# Passing in traffic from the designated subnets.
# (only allow traffic into dmz, prevent traffic from dmz to lan)
pass in on $if_enc from $net_int to $net_dmz tag VPN_INT \
keep state
#pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET
# Passing in isakmpd(8) traffic from the security gateways
pass in on $if_int proto udp from $net_int to $ip_int \
port isakmp keep state
pass out on $if_int proto udp from $ip_int to $net_int \
port isakmp keep state
# policy enforcement
pass out on $if_ext inet proto tcp tagged RTR_INET modulate \
state flags S/SA
pass out on $if_ext inet proto udp tagged RTR_INET keep state
pass out on $if_ext inet proto tcp tagged INT_NAT modulate \
state flags S/SA
pass out on $if_ext inet proto udp tagged INT_NAT keep state
pass out on $if_ext inet proto tcp tagged DMZ_NAT modulate \
state flags S/SA
pass out on $if_ext inet proto udp tagged DMZ_NAT keep state
pass out on $if_dmz inet proto tcp tagged VPN_INT modulate \
state flags S/SA
pass out on $if_dmz inet proto udp tagged VPN_INT keep state
pass out on $if_int inet proto tcp tagged VPN_EXT modulate \
state flags S/SA
pass out on $if_int inet proto udp tagged VPN_EXT keep state
Some things were removed, but this should give the general idea. Still
knocking around to make sure things aren't slipping through that
shouldn't, but working good so far.
You should be able to block/allow whatever traffic you want between the
two networks with rules that follow this format, just specify the dports:
pass in on $if_enc from $net_int to $net_dmz tag VPN_INT \
keep state
pass out quick on $if_enc from $net_dmz to $net_int tag VPN_NET
Axton
VPN(8) pf settings
Dear friends, I am starting to learn VPN, and i am very confused with some points. For instance, concerning firewall rules. It is not clear right now, on which interface i should see the protocol esp, ipencap, ah, etc. I could not figure it out on which interface, should i filter tcp, udp and application layer traffic like dns, http, ftp, ftp-data, etc between the both networks i am connecting ... Thanks in advance.
VPN(8) pf.conf
While reading VPN(8) manual page, i could no figure it out in what interface context the following line applies: # Pass encrypted traffic to/from security gateways pass in proto esp from $GATEWAY_B to $GATEWAY_A pass out proto esp from $GATEWAY_A to $GATEWAY_B Thanks for your time and cooperation. Best regards.
Re: VPN(8)
On 7/26/06, Gustavo Rios <[EMAIL PROTECTED]> wrote: # Pass encrypted traffic to/from security gateways pass in proto esp from $GATEWAY_B to $GATEWAY_A pass out proto esp from $GATEWAY_A to $GATEWAY_B In the last two line above, if i wanted to specify the interface, which of enc0 or $ext_if, should i use? $ext_if, given the following rationale: Your external interface will see the packets with ESP payload coming from / going to the other gateway(s). Inbound, these packets require processing; outbound, they are the result of processing. Your external interface cannot - unless you do *very* unwise things - see the internals of those packets; that's what your enc(4) interfaces can help you with. From enc(4): "The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8)." Cheers, Rogier -- If you don't know where you're going, any road will get you there.
VPN(8)
On manual page for vpn(8), there are lines like in :
The pf.conf(5) rules for a tunnel which uses encryption (the ESP IPsec
protocol) and isakmpd(8) on security gateway A might look like this:
GATEWAY_A = "192.168.1.13"
GATEWAY_B = "192.168.1.15"
NETWORK_A = "10.0.50.0/24"
NETWORK_B = "10.0.99.0/24"
ext_if="ne0"
# default deny
# $ext_if is the only interface going to the outside.
block log on { enc0, $ext_if } all
# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B
...
...
...
In the last two line above, if i wanted to specify the interface,
which of enc0 or $ext_if, should i use?
I mean, this one:
pass in on $ext_if proto esp from $GATEWAY_B to $GATEWAY_A
pass out on $ext_if proto esp from $GATEWAY_A to $GATEWAY_B
Or :
pass in on enc0 proto esp from $GATEWAY_B to $GATEWAY_A
pass out on enc0 proto esp from $GATEWAY_A to $GATEWAY_B
Thanks in advance.
Re: Possible error in vpn(8) man page
On Fri, Dec 23, 2005 at 12:27:55PM -0500, Will H. Backman wrote: > According to the vpn(8) man page: > Paragraph just before section header for Creating IPsec Flows [manual > keying] > > "Note that when no authentication and encryption algorithms are defined, > ipsecctl(8) will automatically use HMAC-SHA2-256 for authentication and > AES-128 in countermode for encryption. Therefore the authentication key > needs to be 256 bits long; the encryption key 128 bits. For details see > ipsec.conf(5)." > > If I create an ipsec.conf file that does not define an authentication or > encryption algorithm, I get warnings if my encryption key is less than > 160 bits. Man page states that it must be at least 128. fixed in -current now. thanks for the mail. jmc
Possible error in vpn(8) man page
According to the vpn(8) man page: Paragraph just before section header for Creating IPsec Flows [manual keying] "Note that when no authentication and encryption algorithms are defined, ipsecctl(8) will automatically use HMAC-SHA2-256 for authentication and AES-128 in countermode for encryption. Therefore the authentication key needs to be 256 bits long; the encryption key 128 bits. For details see ipsec.conf(5)." If I create an ipsec.conf file that does not define an authentication or encryption algorithm, I get warnings if my encryption key is less than 160 bits. Man page states that it must be at least 128.
