[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: NATing IPsec
From: "Greg" <codewolf () earthlink ! net>
Date: 2001-08-30 2:36:12
[Download RAW message or body]
Ok so this one worked out ok however there is still a problem
and I do not know if it is VPN related or it is the firewall setup
Below is the output of my xl1 and xl0 dumps
The problem I am noticing is that after I get the initial connection
I do not communicate any more.
I can send stuff to the server but I do not seem to get any reply.
I do not know that much about the IPsec so I would like to know
if this log looks ok to you guys?
xl1
19:11:54.350225 InternalHostIP.500 > VPNServer.500: isakmp: phase 1 I agg:
[|sa]
19:11:54.419525 VPNServer.500 > InternalHostIP.500: isakmp: phase 1 R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
19:11:54.420478 InternalHostIP.500 > VPNServer.500: isakmp: phase 1 I agg:
[|sa]
19:11:54.677922 VPNServer.500 > InternalHostIP.500: isakmp: phase 1 R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
19:11:54.714513 InternalHostIP.500 > VPNServer.500: isakmp: phase 1 I agg:
[|sa]
19:11:55.149985 VPNServer.500 > InternalHostIP.500: isakmp: phase 1 R agg:
[|sa]
19:11:55.188731 InternalHostIP.500 > VPNServer.500: isakmp: phase 1 I
agg[E]: [|hash]
19:11:55.342477 VPNServer.500 > InternalHostIP.500: isakmp: phase 2/others R
#6[E]: [|hash]
19:11:55.346752 InternalHostIP.500 > VPNServer.500: isakmp: phase 2/others I
#6[E]: [|hash]
19:11:55.593948 VPNServer.500 > InternalHostIP.500: isakmp: phase 2/others R
oakley-quick[E]: [|hash]
19:11:55.664566 InternalHostIP.500 > VPNServer.500: isakmp: phase 2/others I
oakley-quick[E]: [|hash]
19:11:55.882584 VPNServer.500 > InternalHostIP.500: isakmp: phase 2/others R
oakley-quick[E]: [|hash]
19:11:55.888708 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x1)
19:11:56.111254 VPNServer > InternalHostIP: ESP(spi=0x001cad1b,seq=0x1)
19:11:56.111829 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x2)
19:11:56.336979 VPNServer > InternalHostIP: ESP(spi=0x001cad1b,seq=0x2)
19:11:56.337477 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x3)
19:11:56.346326 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x4)
19:11:56.411001 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x5)
19:11:56.631957 VPNServer > InternalHostIP: ESP(spi=0x001cad1b,seq=0x3)
19:11:56.726091 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x6)
19:11:56.818637 VPNServer > InternalHostIP: ESP(spi=0x001cad1b,seq=0x4)
19:11:56.819200 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x7)
19:11:56.836024 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x8)
19:11:57.087754 VPNServer > InternalHostIP: ESP(spi=0x001cad1b,seq=0x5)
19:11:57.088146 VPNServer > InternalHostIP: ESP(spi=0x001cad1b,seq=0x6)
19:11:57.088600 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x9)
19:11:57.106624 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0xa)
19:11:59.724988 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0xb)
19:12:00.899047 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0xc)
19:12:00.899193 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0xd)
19:12:00.899333 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0xe)
19:12:01.650730 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0xf)
19:12:01.650877 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x10)
19:12:01.651016 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x11)
19:12:01.901204 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x12)
19:12:01.901369 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x13)
19:12:02.400712 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x14)
19:12:02.400858 InternalHostIP > VPNServer: ESP(spi=0x00210745,seq=0x15)
xl0
9:29:50.168021 ExternalIp.500 > VPNServer.500: isakmp: phase 1 I agg: [|sa]
19:29:50.244592 VPNServer.500 > ExternalIp.500: isakmp: phase 1 R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
19:29:50.245820 ExternalIp.500 > VPNServer.500: isakmp: phase 1 I agg: [|sa]
19:29:50.473484 VPNServer.500 > ExternalIp.500: isakmp: phase 1 R inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
19:29:50.508752 ExternalIp.500 > VPNServer.500: isakmp: phase 1 I agg: [|sa]
19:29:50.873761 VPNServer.500 > ExternalIp.500: isakmp: phase 1 R agg: [|sa]
19:29:50.912569 ExternalIp.500 > VPNServer.500: isakmp: phase 1 I agg[E]:
[|hash]
19:29:51.065026 VPNServer.500 > ExternalIp.500: isakmp: phase 2/others R
#6[E]: [|hash]
19:29:51.066227 ExternalIp.500 > VPNServer.500: isakmp: phase 2/others I
#6[E]: [|hash]
19:29:51.304863 VPNServer.500 > ExternalIp.500: isakmp: phase 2/others R
oakley-quick[E]: [|hash]
19:29:51.374547 ExternalIp.500 > VPNServer.500: isakmp: phase 2/others I
oakley-quick[E]: [|hash]
19:29:51.640138 VPNServer.500 > ExternalIp.500: isakmp: phase 2/others R
oakley-quick[E]: [|hash]
19:29:51.646682 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x1)
19:29:51.788890 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x1)
19:29:51.789750 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x2)
19:29:51.867500 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x2)
19:29:51.869720 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x3)
19:29:51.879112 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x4)
19:29:51.971904 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x5)
19:29:52.084046 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x3)
19:29:52.117513 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x4)
19:29:52.118354 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x6)
19:29:52.124217 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x7)
19:29:52.362628 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x5)
19:29:52.364071 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x6)
19:29:52.364512 VPNServer > ExternalIp: ESP(spi=0x0023708e,seq=0x7)
19:29:52.365190 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x8)
19:29:52.389637 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0x9)
19:29:52.418863 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0xa)
19:29:53.786352 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0xb)
19:29:55.418601 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0xc)
19:29:56.738501 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0xd)
19:29:58.418337 ExternalIp > VPNServer: ESP(spi=0x001d172d,seq=0xe)
----- Original Message -----
From: Frank Volf <volf@oasis.IAEhv.nl>
To: Greg <codewolf@earthlink.net>
Cc: Frank Volf <volf@oasis.IAEhv.nl>; <ipfilter@coombs.anu.edu.au>
Sent: Tuesday, August 28, 2001 10:12 AM
Subject: Re: NATing IPsec
>
> Thanks for all the data :-) From your tcpdump it appears that the esp
> packets do not have their IP address changed to the external IP address
> of your IP box. Is that correct? In that case this ipsec proxy seems
pretty
> worthless to me.
>
> Try to add the following line to your IP nat config:
>
> map xl0 InternalHostIP/32 port 0 -> ExeternalIp/32 port 0 esp
>
> to explicitly translate the esp packets going out.
>
> Frank
>
>
> Greg wrote:
> [ Charset ISO-8859-1 unsupported, converting... ]
> >
> > ----- Original Message -----
> > From: Frank Volf <volf@oasis.IAEhv.nl>
> > To: Furmanek, Greg <Greg.Furmanek@hit.cendant.com>
> > Cc: <ipfilter@coombs.anu.edu.au>
> > Sent: Monday, August 27, 2001 9:33 AM
> > Subject: Re: NATing IPsec
> >
> >
> > > Furmanek, Greg wrote:
> > > [ Charset ISO-8859-1 unsupported, converting... ]
> > > > Maybe the last e-mail got lost somewere.
> > >
> > > No it did not, but it would help if you had provided a little more
> > > information, like the OS your are running, the IP filter version that
you
> > > are running, your filter and nat rules, the output of ipnat -lv, the
> > blocked
> > > packets that you are seeing etc.
> >
> > Please forgive me for the lack of info.
> > Here it is:
> >
> > Box:
> > i386 (Pentium 166)
> >
> > OS:
> > 4.3-20010816-STABLE FreeBSD
> >
> > Ipf -V:
> > ipf: IP Filter: v3.4.20 (264)
> > Kernel: IP Filter: v3.4.20
> > Running: yes
> > Log Flags: 0 = none set
> > Default: block all, Logging: available
> > Active list: 0
> >
> > ipnat.rules:
> > rdr xl0 ExeternalIp/32 port 0 -> InternalHostIP port 0 esp
> > map xl0 InternalHostIP/32 -> ExeternalIp/32 proxy port isakmp ipsec/udp
> >
> > map xl0 InternalNetworkIP/24 -> ExeternalIp/32 proxy port ftp ftp/tcp
> > map xl0 InternalNetworkIP/24 -> ExeternalIp/32 portmap tcp/udp
20000:30000
> >
> > ipf.rules:
> > block in from any to any
> > block out from any to any
> >
> > pass in quick on lo0 all
> > pass out quick on lo0 all
> >
> > pass in quick on xl0 proto esp from destip/32 to any
> > pass out quick on xl0 proto esp from any to destip
> >
> > pass in quick on xl1 proto esp from InternalHostIp to any
> > pass out quick on xl1 proto esp from any to InternalHostIp
> >
> > pass in quick on xl1 proto udp from InternalHostIp to destip port = 500
keep
> > state
> > pass in quick on xl0 proto udp from destip to any port = 500 keep state
> >
> > block return-rst in log level auth.info quick on xl0 proto tcp from any
to
> > externalIp/32
> > block return-rst in log level auth.info quick on xl0 proto tcp from any
to
> > externalIp2/32
> > block return-icmp(port-unr) in log level auth.info quick on xl0 proto
udp
> > from any to externalIp/32
> > block return-icmp(port-unr) in log level auth.info quick on xl0 proto
udp
> > from any to externalIp2/32
> >
> > block in log level auth.info quick on xl0 proto icmp from any to
> > externalIp/32
> > block in log level auth.info quick on xl0 proto icmp from any to
> > externalIp2/32
> > block in quick on xl0
> >
> > pass out quick on xl0 proto tcp from any to any keep state
> > pass out quick on xl0 proto udp from any to any keep state
> > pass out quick on xl0 proto icmp from any to any keep state
> >
> > block in log level auth.info quick on xl1 proto tcp from any to
> > InternalIp/32 port = 21
> >
> > pass in quick on xl1 from InternalHostIp/32 to InternalIp/32
> > block in quick on xl1 from any to InternalIp/32
> >
> > pass in quick on xl1 proto tcp from InternalNetworkIp/24 to any keep
state
> > pass in quick on xl1 proto udp from InternalNetworkIp/24 to any keep
state
> > pass in quick on xl1 proto icmp from InternalNetworkIp/24 to any keep
state
> >
> > pass out quick on xl1 from InternalIp/32 to any
> >
> > # ipnat -lv
> > List of active MAP/Redirect filters:
> > rdr xl0 ExternalIP/32 -> InternalHostIP
> > map xl0 InternalHostIP/32 -> ExternalIP/32 proxy port isakmp ipsec/udp
> > map xl0 InternalNetIP/24 -> ExternalIP/32 proxy port ftp ftp/tcp
> > map xl0 InternalNetIP/24 -> ExternalIP/32 portmap tcp/udp 20000:30000
> >
> > List of active sessions:
> > MAP InternalHostIP 500 <- -> ExternalIP 500 [VPNHOST]
> > age 7178 use 0 sumd 0xd045/0xd045 pr 17 bkt 59/88 flags 2 bytes
3092
> > pkts 13
> > proxy ipsec/17 use 1 flags 0
> > proto 17 flags 0 bytes 3092 pkts 13 data 0xc08becc0 psiz
4
> > MAP InternalHostIP 1247 <- -> ExternalIP 22663 [HTTP HOST]
> > age 18 use 0 sumd 0x23ee/0x23ee pr 6 bkt 106/27 flags 1 bytes
37111
> > pkts 46
> > MAP InternalHostIP 1246 <- -> ExternalIP 22662 [MAIL HOST]
> > age 435 use 0 sumd 0x23ee/0x23ee pr 6 bkt 114/35 flags 1 bytes
86845
> > pkts 188
> > MAP InternalHostIP 1026 <- -> ExternalIP 22421 [MAIL HOST]
> > age 187 use 0 sumd 0x23d9/0x23d9 pr 6 bkt 55/64 flags 1 bytes
> > 2263379 pkts 4705
> >
> > List of active host mappings:
> > InternalHostIP -> ExternalIP (use = 1 hv = 64)
> > InternalHostIP -> ExternalIP (use = 3 hv = 64)
> >
> >
> > >
> > > > Why isn't my box natting the connection?
> > > > Is there any way to fix it?
> > >
> > > Well, I'm not a IPSec expert, but as far as I know the ISAKMP protocol
is
> > > using udp port 500 and there is really nothing special about it
(correct
> > me
> > > if I'm wrong). Glancing at the code of ip_ipsec_pxy.c this suspicious
> > seems
> > > confirmed, it does not seem to do any manipulation with/based on the
data
> > > stream of the IKE protocol.
> > >
> >
> > You are correct. This is not the part I am having problems with.
> >
> > The problem arizes from the rdr rule:
> >
> > tcpdump -n -i xl0
> > # tcpdump -i xl0 -n
> > tcpdump: listening on xl0
> > 23:03:50.173682 ExternalIP.500 > VPNServerIP.500: isakmp: phase 1 I agg:
> > [|sa]
> > 23:03:50.244693 VPNServerIP.500 > ExternalIP.500: isakmp: phase 1 R inf:
> > (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
> > 23:03:50.248296 ExternalIP.500 > VPNServerIP.500: isakmp: phase 1 I agg:
> > [|sa]
> > 23:03:50.350784 VPNServerIP.500 > ExternalIP.500: isakmp: phase 1 R inf:
> > (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
> > 23:03:50.386863 ExternalIP.500 > VPNServerIP.500: isakmp: phase 1 I agg:
> > [|sa]
> > 23:03:50.596989 VPNServerIP.500 > ExternalIP.500: isakmp: phase 1 R agg:
> > [|sa]
> > 23:03:50.640647 ExternalIP.500 > VPNServerIP.500: isakmp: phase 1 I
agg[E]:
> > [|hash]
> > 23:03:50.784328 VPNServerIP.500 > ExternalIP.500: isakmp: phase 2/others
R
> > #6[E]: [|hash]
> > 23:03:50.788217 ExternalIP.500 > VPNServerIP.500: isakmp: phase 2/others
I
> > #6[E]: [|hash]
> > 23:03:51.077402 VPNServerIP.500 > ExternalIP.500: isakmp: phase 2/others
R
> > oakley-quick[E]: [|hash]
> > 23:03:51.150379 ExternalIP.500 > VPNServerIP.500: isakmp: phase 2/others
I
> > oakley-quick[E]: [|hash]
> > 23:03:51.279076 VPNServerIP.500 > ExternalIP.500: isakmp: phase 2/others
R
> > oakley-quick[E]: [|hash]
> > 23:03:51.285272 VPNCLientIP > VPNServerIP: ESP(spi=0x0017b0ae,seq=0x1)
> > 23:03:51.887623 VPNCLientIP > VPNServerIP: ESP(spi=0x0017b0ae,seq=0x2)
> > 23:03:54.202382 VPNCLientIP > VPNServerIP: ESP(spi=0x0017b0ae,seq=0x3)
> >
> > The VPNClinetIP is a box in the internal Network.
> >
> > > So, I'm wondering if you cannot simply use map and rdr:
> > >
> > > map extinterface 192.168.1.5 port 500 -> extipaddress port 500 udp
> > > rdr extinterface extipaddress port 0 -> 192.168.1.5 port 0 esp
> > >
> > > Hope this helps.
> > >
> > > Frank
> > >
> >
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic