|
|||
Road Warrior in VPN Purgatory
So I've been trying to get a road warrior IPsec setup (like millions of others) and have pretty much got it done except one little thing...the remote PC can only access the VPN box and ping everything inside but nothing else. I've looked at pf.conf, ipsec.conf, isakmpd.conf and isakmpd.policy to no avail. If anyone could lift me from this IPsec purgatory I would be eternally grateful. Here's the setup:
PC (external) --> OpenBSD 4.4 (VPN/FW Box) --> Internal Net pf.conf ======= ext_if="fxp0" trunk_if="trunk0" # Internal Trunk Group ext_net = "192.168.1.0/24" int_net = "192.168.0.0/24" srv_int = "192.168.0.56" # Internal Server gw_ext = "10.10.10.1" # External IP on the VPN #table <spamd-white> persist set skip on lo set skip on enc0 scrub in all nat on $ext_if from !($ext_if) -> ($ext_if:0) # Redirection for redir for webserver rdr on $ext_if proto tcp from any to $gw_ext port { www https } -> $srv_int block in pass out #pass quick on $int_if no state antispoof quick for { lo $trunk_if } # Allow ESP encapsulated IPsec traffic on the external interface pass in on $ext_if proto esp from $ext_net to $gw_ext pass out on $ext_if proto esp from $gw_ext to $ext_net # Allow isakmpd(8) traffic on the external interface pass in on $ext_if proto udp from $ext_net to $gw_ext port {isakmp, ipsec-nat-t} pass out on $ext_if proto udp from $gw_ext to $ext_net port {isakmp, ipsec-nat-t} # Allow IP-in-IP traffic between the gateways on the enc(4) interface pass in on enc0 proto ipencap from $ext_net to $gw_ext keep state (if-bound) pass out on enc0 proto ipencap from $gw_ext to $ext_net keep state (if-bound) # Filter unencrypted VPN traffic on the enc(4) interface pass in on enc0 from $ext_net to $trunk_if:network keep state (if-bound) pass out on enc0 from $trunk_if:network to $ext_net keep state (if-bound) # A bunch of port/service rules you don't care about... # Squid transparent proxy on the VPN box for internal users pass in on $trunk_if inet proto tcp from $int_net to localhost port 3128 pass out on $ext_if inet proto tcp from localhost to any port www pass quick on $trunk_if ----------------------------------------------------------- isakmpd.policy ============== Keynote-version: 2 Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && doi == "ipsec" && pfs == "yes" && esp_present == "yes" && esp_enc_alg == "aes" -> "true"; ----------------------------------------------------------- isakmpd.conf ============ [General] Listen-On = 10.10.10.1 [Phase 1] # Default = <ISAKMP-peer> Default = client [Phase 2] # Passive-connections = <IPsec connection> Passive-connections = client-netB # <ISAKMP-peer> [client] Phase = 1 Transport = udp # Configuration = <ISAKMP-configuration> Configuration = Default-main-mode Authentication = sharedsecret # <IPsec connection> [client-netB] Phase = 2 ISAKMP-peer = client # Configuration = <IPsec-configuration> Configuration = Default-quick-mode # Local-ID = <IPsec-ID> Local-ID = netB # Remote-ID = <IPsec-ID> Remote-ID = client # <IPsec-ID> [client] ID-type = IPV4_ADDR Address = 0.0.0.0 # <IPsec-ID> [netB] ID-type = IPV4_ADDR_SUBNET Network = 0.0.0.0 Netmask = 0.0.0.0 # <ISAKMP-configuration> [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = AGGRESSIVE # Transforms = <ISAKMP-transform> Transforms = AES-256-SHA # <IPsec-configuration> [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE # Suites = <IPsec-suite> Suites = QM-ESP-AES-256-SHA-PFS-SUITE --------------------------------------------------- ipsec.conf ========== ike passive esp from $gw_ext to $ext_net ike dynamic esp from $int_net to $ext_net --------------------------------------------------- So when a PC on the outside connects, it has full access to the VPN box but can't get beyond it inside the int_net. It can however icmp ping inside everywhere. On a box on the inside net, an arp -a yields: # arp -a ? (192.168.0.165) at (incomplete) on trunk0 So packets get to the inside boxes from the outside PC, but the internal boxes don't get an arp response for the outside PC. Any help would be EXTREMELY appreciated! |
|
|||
Have you seen http://www.securityfocus.com/infocus/1859? ?
To check whether pf is blocking, use a default policy of: Code:
block log all You can see these packets by using Code:
tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for the reply!
Yes I've read that article and I've already looked at the tcpdump and logged the block all log. There is no blocked logs generated when the road warrior tries to access the internal servers. Any thoughts? |
|
|||
If pf isn't blocking anything, and
assuming your VPN configuration is correct, then it probably is a routing problem.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
but if it was a routing issue, ping traffic wouldn't work...correct?
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The road to 2009 | TerryP | Off-Topic | 4 | 7th January 2009 06:05 PM |