[vpn-help] Policy configuration

Michael Ragusa michael.ragusa at ai.net
Tue Mar 14 03:48:26 CST 2006


Matthew Grooms wrote:

> Michael Ragusa wrote:
>
>> i just tried out the new beta8 client and it was able to establish a 
>> tunnel but the problem is that im not able to ping the internal 
>> gateway or telnet to any services on the gateways internal interface 
>> nor am i able to ping any machines on the inside net
>>
>
> Well, the good news is that it looks like all the negotiations are 
> being completed without an issue and esp transport packets are being 
> emitted from the client. Do you have a firewall running on the 
> gateway? If so, you will need to add rules to allow the 10.246.37.0/24 
> network to communicate with the 10.246.38.0/24 network. Otherwise they 
> will be blocked after ipsec processing. You could try to run a tcpdump 
> on the external interface of your gateway to determine if the NAT-T 
> transport packets are arriving from the client. For example, you could 
> try ...
>
> tcpdump -i <external interface> udp and port 4500
>
> ... and then ping the 10.246.38.1 address. If the packets are getting 
> to the gateway, you should see them in the tcpdump. I can't imagine 
> why they wouldn't be since the same trasport/ports are being used for 
> the isakmp negotiations.
>
> What OS and firewall package are you running?
>
> -Matthew
>
>
>
FreeBSD lance.ai.net 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Sun Feb 
12 17:46:15 EST 2006     ainet@:/usr/obj/usr/src/sys/ROUTER  i386

my pf rules are
# IPSEC options
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any to any port = 4500
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any to any port = 4500
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif0 from any to any

the esp packets get sent from the client but nothing comes back from the 
gateway




More information about the vpn-help mailing list