Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th June 2008
ales ales is offline
New User
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default Redirecting ESP packets


One of the users inside our internal network would like to connect via checkpoint VPN software to an outside network. As far as i know we should forward ESP packets to his internal host in our network. Is that possible with pf and openbsd?
Reply With Quote
  #2   (View Single Post)  
Old 6th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 4,667
Thanked 214 Times in 189 Posts

Any IP protocol may be used with PF packet filtering rules and redirection rules. The protocol may be specified by number or by name, as defined in /etc/protocols. This includes ESP, IP protocol 50.

The definitive ruleset is in the man page for pf.conf(5). Guidelines and some "How To" information may be obtained from the PF User's Guide, and additional information may also be garnered from Peter Hansteen's recent publication, The Book of PF, which has been getting excellent reviews, and you may also find Jacek Artymiak's Building Firewalls with OpenBSD and PF helpful.
Reply With Quote
  #3   (View Single Post)  
Old 15th June 2008
ohauer ohauer is offline
Port Guard
Join Date: May 2008
Location: germany
Posts: 32
Thanked 2 Times in 2 Posts

If the user use CheckPoint SecuRemote/SecureClient, it is easy to create the rules.

This passage is from the CheckPoint manual.

If a SecuRemote/SecureClients is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow SecuRemote/SecureClient traffic to pass:
Table 1-16 ports to open for non-Check Point firewalls port explanation
UDP port 500       | always, even if using IKE over TCP  
TCP port 500       | only if using IKE over TCP  
IP protocol 50 ESP | unless always using UDP encapsulation  
UDP port 2746      | configurable; only if using UDP encapsulation  
UDP port 259       | only if using MEP, interface resolving or interface High Availability
If you think this are to much, contact the Firewall Administrator at the CheckPoint side and ask if he supports Visitor Mode (HTTPS).
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD, vpnc and packets forwarding problems Tritone OpenBSD General 3 2nd July 2009 09:59 PM
pfsense wireless AP - lost packets AndreyS FreeBSD General 0 7th June 2008 05:38 PM
IPF: Packets Out Of Window bram85 FreeBSD Security 9 2nd June 2008 04:09 PM

All times are GMT. The time now is 09:24 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick