DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th November 2012
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 101
Thanked 0 Times in 0 Posts
Default Help Enabling Cisco VPN Client Traffic on PF

At home I use cisco vpn client to remote into work. Can anyone PLEASE help me enable this type of traffic in PF?

Help is greatly appreciated.

http://www.cisco.com/en/US/products/...308/index.html

Thanks


Code:
EXT="pppoe0"
INT="re1"

INT_NET="{ 192.168.0.0/24 }"

TCP_PORTS = "{ www ssh }"
UDP_PORTS = 'domain'

set block-policy drop
set skip on lo0

nat on $EXT from $INT_NET -> ($EXT:0)
match on pppoe0 scrub (reassemble tcp max-mss 1440) 

block log all

pass out on $EXT tagged OK  

pass in on $INT inet proto tcp from $INT_NET to any port $TCP_PORTS tag OUT_OK 
pass in on $INT inet proto udp from $INT_NET to any port $UDP_PORTS tag OUT_OK
Reply With Quote
  #2   (View Single Post)  
Old 19th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

The Cisco VPN client uses IPSec. The protocols used with IPSec are UDP, AH, and ESP, Likely, however, only ESP and UDP will be utilized in this particular VPN solution.

You will need to add a pass inbound for ESP traffic. ESP doesn't use ports, so it's syntax will not include port numbers. Passing the traffic inbound and outbound will be required. Your client will initiate the connection, so PF's stateful tracking should route the traffic to your workstation appropriately.

The UDP protocol is used for key exchange and key management. UDP port 500 is the primary port for key exchanges, port 4500 is used for NAT Traversal which may be required -- these should be passed as well, however, stateful processing should manage that if your client initiates the connection.

Your OpenBSD ipsec(4) man page may be helpful to you.

Last edited by jggimi; 19th November 2012 at 06:02 PM. Reason: clarity, simplifying solution
Reply With Quote
  #3   (View Single Post)  
Old 19th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

I'm not sure I was sufficiently clear, so I'll try to add more information.

Per your pf.conf, all outbound traffic is currently permitted, regardless of source. But traffic inbound is only permitted on the internal network for a limited set of UDP and TCP destination ports. No inbound traffic from the external interface is permitted, unless applicable to an existing state.
  • ESP needs to be passed, both directions. At the moment, it's not permitted at all.
  • UDP destination ports 500 and 4500 need to be passed in both directions
While I'm not sure what NAT traversal techniques might be needed other than merely having destination port 4500 open in both directions...it's my belief (without testing) that you won't need more than that.
Reply With Quote
  #4   (View Single Post)  
Old 26th February 2013
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 101
Thanked 0 Times in 0 Posts
Default

Thanks for the reply

I enabled ESP, UDP and AH but i still was not able to connect. (If I bypass openbsd it works fine)

I am not sure what else to do.

EDIT: I just saw where you can monitor the firewall activity with
Code:
tcpdump -n -e -ttt -i pflog0
so I will do that when I get home
Reply With Quote
  #5   (View Single Post)  
Old 26th February 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

You did not post your revised pf.conf.

Do you have rdr-to rule(s) to redirect the incoming UDP traffic with destination UDP ports 500 and 4500 to your workstation running the Cisco VPN client?

Are you passing traffic using protocols ESP and AH?

http://en.wikipedia.org/wiki/NAT_tra...rsal_and_IPsec
Reply With Quote
  #6   (View Single Post)  
Old 26th February 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,608
Thanked 214 Times in 189 Posts
Default

Let me revise that - NAT Traversal, in the most common implementation (NAT-T), encapsulates the IPSec traffic within UDP. Passing ESP/AH traffic might not be necessary.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
enabling linux binary emulation .. could it harm ? daemonfowl OpenBSD Security 7 30th July 2012 02:20 PM
OBSD client hangs mounting NFS; Linux client doesn't amorphousone OpenBSD General 7 26th August 2010 05:21 AM
Enabling an "All-in-One" Printer/Scanner/Fax on OBSD IronForge OpenBSD General 3 17th February 2010 04:22 AM
NetBSD for Cisco Pix? twoblink NetBSD General 8 3rd May 2009 11:21 PM
Cisco IOS commands ?? jb_daefo Off-Topic 7 5th June 2008 01:53 AM


All times are GMT. The time now is 12:19 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick