Pontus
March 13th, 2003, 18:16
Hi!

I have a machine thats behind a Openbsd NAT gw, and this machine needs to connect to a VPN server out on the internet... But this doesnt work, i dont know whats wrong, if i change the NAT box to a simple Netgear firewall (RP614), that also uses NAT, this works... But as soon as I put back the OBSD box it stops working...

Its a standard installation of Obsd 3.1

My pf.conf:
pass in all
pass out all

My nat.conf:
nat on ep1 from 192.168.1.0/24 to any -> $outside_ip

# sysctl -a |grep net:
net.inet.ip.forwarding = 1
net.inet.ip.redirect = 1
net.inet.ip.ttl = 64
net.inet.ip.sourceroute = 0
net.inet.ip.directed-broadcast = 0
net.inet.ip.portfirst = 1024
net.inet.ip.portlast = 49151
net.inet.ip.porthifirst = 49152
net.inet.ip.porthilast = 65535
net.inet.ip.maxqueue = 300
net.inet.ip.encdebug = 0
net.inet.ip.ipsec-expire-acquire = 30
net.inet.ip.ipsec-invalid-life = 60
net.inet.ip.ipsec-pfs = 1
net.inet.ip.ipsec-soft-allocs = 0
net.inet.ip.ipsec-allocs = 0
net.inet.ip.ipsec-soft-bytes = 0
net.inet.ip.ipsec-bytes = 0
net.inet.ip.ipsec-timeout = 86400
net.inet.ip.ipsec-soft-timeout = 80000
net.inet.ip.ipsec-soft-firstuse = 3600
net.inet.ip.ipsec-firstuse = 7200
net.inet.ip.ipsec-enc-alg = aes
net.inet.ip.ipsec-auth-alg = hmac-sha1
net.inet.ip.mtudisc = 1
net.inet.ip.mtudisctimeout = 600
net.inet.ip.ipsec-comp-alg = deflate
net.inet.icmp.maskrepl = 0
net.inet.icmp.bmcastecho = 0
net.inet.icmp.errppslimit = 100
net.inet.icmp.rediraccept = 1
net.inet.icmp.redirtimeout = 600
net.inet.ipip.allow = 0
net.inet.tcp.rfc1323 = 1
net.inet.tcp.keepinittime = 150
net.inet.tcp.keepidle = 14400
net.inet.tcp.keepintvl = 150
net.inet.tcp.slowhz = 2
net.inet.tcp.baddynamic = 587,749,750,751,760,761,871
net.inet.tcp.recvspace = 16384
net.inet.tcp.sendspace = 16384
net.inet.tcp.sack = 1
net.inet.tcp.mssdflt = 512
net.inet.tcp.rstppslimit = 100
net.inet.tcp.ackonpush = 0
net.inet.udp.checksum = 1
net.inet.udp.baddynamic = 587,749
net.inet.udp.recvspace = 41600
net.inet.udp.sendspace = 9216
net.inet.gre.allow = 0
net.inet.gre.wccp = 0
net.inet.esp.enable = 1
net.inet.ah.enable = 1
net.inet.mobileip.allow = 0
net.inet.etherip.allow = 0
net.inet.ipcomp.enable = 0
net.inet6.ip6.forwarding = 0
net.inet6.ip6.redirect = 1
net.inet6.ip6.hlim = 64
net.inet6.ip6.maxfragpackets = 200
net.inet6.ip6.accept_rtadv = 0
net.inet6.ip6.keepfaith = 0
net.inet6.ip6.log_interval = 5
net.inet6.ip6.hdrnestlimit = 50
net.inet6.ip6.dad_count = 1
net.inet6.ip6.auto_flowlabel = 1
net.inet6.ip6.defmcasthlim = 1
net.inet6.ip6.kame_version = OpenBSD-current
net.inet6.ip6.use_deprecated = 1
net.inet6.ip6.rr_prune = 5
net.inet6.icmp6.rediraccept = 1
net.inet6.icmp6.redirtimeout = 600
net.inet6.icmp6.nd6_prune = 1
net.inet6.icmp6.nd6_delay = 5
net.inet6.icmp6.nd6_umaxtries = 3
net.inet6.icmp6.nd6_mmaxtries = 3
net.inet6.icmp6.nd6_useloopback = 1
net.inet6.icmp6.nodeinfo = 1
net.inet6.icmp6.errppslimit = 100
net.inet6.icmp6.nd6_maxnudhint = 0
net.inet6.icmp6.mtudisc_hiwat = 1280
net.inet6.icmp6.mtudisc_lowat = 256
net.inet6.icmp6.nd6_debug = 0


Please, please help!!!!
Regards // Pontus

bsdjunkie
March 13th, 2003, 18:56
Can you post your IPSEC config files thats used to talk to the VPN?

Pontus
March 15th, 2003, 10:33
Hi bsdjunkie!

Just for your knowledge, the VPN software is some Windows app, I dont know what it is, or what protocol it uses (or how the handshake and key exchange works)... But it works with Netgears "Basic NAT"... On the Netgears homepage it says that the RP614 supports "VPN pass-through (IPSec, L2TP)", is this something OpenBSD doesnt support??

Thanks!
Pontus

socomm
March 15th, 2003, 10:40
Those this (http://www.tldp.org/HOWTO/VPN-HOWTO/) help at all?

Pontus
March 15th, 2003, 15:08
Ehm, nope, thanks annyway!!!

bsdjunkie
March 15th, 2003, 15:48
AFAIK, the VPN Pass through on those routers just allow ipsec encrypted traffic to go through it. It does not actaully give you a vpn setup, especially if you were not asked to fill out an SA or given a preshared key. Right now it sounds like your NAT isnt setup correctly in the config. Instead of $outside_ip try the interface name itself or the actual IP address. I dont know why, but ive seen pf freak out a lot on $variables in some places.
:roll:

elmore
March 15th, 2003, 16:57
Maybe post up your ruleset so we can take a look at it. I'm sure we can get it all worked out.

|MiNi0n|
March 15th, 2003, 20:47
elmore's right... post your ruleset and we'll be able to help.

I'll bet you're not allowing the esp and udp traffic through for VPN's.

elmore
March 18th, 2003, 13:31
Hey I'd like to help out here. Any chance you'll be posting up that ruleset soon?

Pontus
March 21st, 2003, 12:15
Ehm, nope, thanks annyway!!!

elmore
March 21st, 2003, 12:22
I don;t know why you wouldn't want to post your ruleset but ok whatever. Look at the following and make sure you have this in your ruleset for your outgoing rules.

[code:1:91264d8bd4]
# Allow isakmp
pass in quick on $ExtIF inet proto udp from any to any port = 500
pass in quick on $ExtIF inet proto esp from any to any

# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
# ALSO ALLOW isakmp outgoing
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp from any to any port = 500
pass out on $ExtIF inet proto esp from any to any
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
[/code:1:91264d8bd4]

Pay special attention to the port 500 rules and the esp rule above without those your vpn will most likely not work.

Pontus
March 21st, 2003, 12:56
Why doesnt the sorting of the replys work? Its diffrent every time I look :-(

Anyway, the "Ehm, nope, thanks anyways" was for socomm's "Those this help at all?" post.

As for my rulesets it looks like this:

pf.conf:
pass in all
pass out all

nat.conf:
nat on ep1 from 192.168.1.0/24 to any -> $outside_ip


The nat'ing works (as far as i know anyways, web browsing, ftp, ssh works fine)..

I was tipped to use "keep state" on my "pass out all" rule in pf.conf, I havent been able to test this yet, but do you guys think it might help?

Elmore, thanks for your rules!! Will a "pass out all keep state" do the same thing as your rules (exept it might be less secure)?

Thanks to all of you for helping me!!!
Regards // Pontus

elmore
March 21st, 2003, 13:09
That's the damn second report today that the board is acting wierd. I'm checking it out. Sorry about that Pontus. Yup, those are the outgoing rules I use on all my firewalls, they all run VPN's so I think that's good. Here's a complete ruleset. It's a default deny in so It's secure for sure. It is very unrestrictive for outgoing traffic however. Which I like.

[code]
# Define useful variables
ExtIF="fxp0" # External Interface
sshHost="xxx.xxx.xxx.xxx" # Allow ssh from a specific host
NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Clean up fragmented and abnormal packets
scrub in all

#nat goes here now
nat on $ExtIF from 10.100.1.0/24 to any -> xxx.xxx.xxx.xxx

# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs

# block various nmap shyte
block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in quick on $ExtIF inet proto tcp from any to any flags P

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all

#stunnel for mail
#pass in quick on $ExtIF proto tcp from any to 10.100.1.1/32 port = 25
#pass in quick on $ExtIF proto tcp from any to any port = 80

#Allow mail to pass into the box
pass in quick on $ExtIF proto tcp from any to any port = 25 keep state

#Allow web traffic
pass in quick on $ExtIF proto tcp from any to any port = 80 keep state

#Allow US to ssh into the box
pass in quick on $ExtIF proto tcp from $sshHost to any port = 22 keep state
# Allow isakmp
pass in quick on $ExtIF inet proto udp from any to any port = 500
pass in quick on $ExtIF inet proto esp from any to any

# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
# ALSO ALLOW isakmp outgoing
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp from any to any port = 500
pass out on $ExtIF inet proto esp from any to any
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state

Pontus
March 21st, 2003, 13:15
Thank you very much!!

I'll be doing testing all weekend :-)

Regards // Pontus

p-chan
February 2nd, 2004, 22:51
I'm resurecting this old thread in hopes someone can help me out with a similar problem.

VPN sever: Unknown
Client: Nortel Connectivity v4_15.14
NAT/Router: OpenBSD 3.4

It seems to authenticate and then die. I'm guessing that something isnt being natted right. But don't take my work for it I'm not completely sure what I'm doing. I'll let tcp dump talk for a bit.

sir_phobos# tcpdump -n -e -ttt -i dc1 host vpn_server_ip
tcpdump: listening on dc1
Feb 02 21:43:43.991123 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 372: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange AGGRESSIVE
cookie: e4af04e4b8e4265c->0000000000000000 msgid: 00000000 len: 330
Feb 02 21:43:44.139995 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 274: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange AGGRESSIVE
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 00000000 len: 232
Feb 02 21:43:44.165569 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 94: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange AGGRESSIVE encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 00000000 len: 52
Feb 02 21:43:44.186807 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 110: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange TRANSACTION encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 9d70f224 len: 68
Feb 02 21:43:44.187506 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 134: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange TRANSACTION encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 9d70f224 len: 92
Feb 02 21:43:45.495921 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 102: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange TRANSACTION encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 9d70f224 len: 60
Feb 02 21:43:45.597736 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 214: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange TRANSACTION encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: d68b2007 len: 172
Feb 02 21:43:45.599846 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 126: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange TRANSACTION encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: d68b2007 len: 84
Feb 02 21:43:45.693463 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 374: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange QUICK_MODE encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 847646cf len: 332
Feb 02 21:43:45.738477 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 334: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange QUICK_MODE encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 847646cf len: 292
Feb 02 21:43:45.843091 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 94: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange QUICK_MODE encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 847646cf len: 52
Feb 02 21:43:49.082213 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 230: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 1 len 196
Feb 02 21:43:49.083499 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 110: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 2 len 76
Feb 02 21:43:49.145999 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 166: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 3 len 132
Feb 02 21:43:49.644586 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 118: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 4 len 84
***** trim out some repetitive crap *****
Feb 02 21:44:08.705558 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 158: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 42 len 124
Feb 02 21:44:09.286176 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 158: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 43 len 124
Feb 02 21:44:09.985359 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 118: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange QUICK_MODE encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 78552b63 len: 76
Feb 02 21:44:09.986228 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 110: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange INFO encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 569142ea len: 68
Feb 02 21:44:10.207616 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 166: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 44 len 132
Feb 02 21:44:10.207844 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 158: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 45 len 124
Feb 02 21:44:10.398587 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 158: esp 192.168.0.19 > vpn_server_ip spi 0x000BBEC3 seq 46 len 124
Feb 02 21:44:10.590050 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 118: my_external_ip.53054 > vpn_server_ip.500: isakmp v1.0 exchange INFO encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 75353332 len: 76
Feb 02 21:44:10.617703 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 110: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange INFO encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: 9c940edc len: 68
Feb 02 21:44:10.618319 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 70: my_external_ip > vpn_server_ip: icmp: my_external_ip udp port 53054 unreachable
Feb 02 21:44:10.688917 0:1:5c:22:43:42 0:a0:cc:36:cb:d 0800 118: vpn_server_ip.500 > my_external_ip.53054: isakmp v1.0 exchange INFO encrypted
cookie: e4af04e4b8e4265c->e1d9208998859844 msgid: a0a69ce0 len: 76
Feb 02 21:44:10.689455 0:a0:cc:36:cb:d 0:1:5c:22:43:42 0800 70: my_external_ip > vpn_server_ip: icmp: my_external_ip udp port 53054 unreachable


Here's my pf.conf Some if it is pulled elmore's previous example, I hope he doesn't mine ;)

# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.

wifi_if = "wi0"
int_if = "dc0"
dmz_if = "fxp0"
ext_if = "dc1"

priv_net = "192.168.0.0/24"
wifi_net = "192.168.1.0/24"
dmz_net = "192.168.2.0/24"

# Tables: similar to macros, but more flexible for many addresses.
NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Options: tune the behavior of pf, default values are given.

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Queueing: rule-based bandwidth control.

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.

nat on $ext_if proto {tcp, udp, icmp} from $priv_net to any -> $ext_if/32

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.

rdr pass on $ext_if proto {tcp, udp} from any to $ext_if port 6881:6999 -> 192.168.0.11 port 6881:*

# Filtering: the implicit first two rules are

block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs

pass in quick on lo0 all
pass out quick on lo0 all
block in quick on $wifi_if all
block out quick on $wifi_if all
block in quick on $dmz_if all
block out quick on $dmz_if all
pass in quick on $int_if all
pass out quick on $int_if all

# block various nmap shyte
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU

block in log on $ext_if inet all

block in quick inet6 all
block out quick inet6 all

pass in quick on $ext_if inet proto udp from any to any port = 500
pass in quick on $ext_if inet proto esp from any to any
pass out on $ext_if proto tcp all flags S/SA modulate state
pass out on $ext_if proto {udp, icmp} all keep state

Feel free to point out any other problems/mistakes with my config.

andy

p-chan
February 3rd, 2004, 23:00
For future refrence:

The miss-configuration was:
nat on $ext_if proto {tcp, udp, icmp} from $priv_net to any -> $ext_if/32

I'm not nating the esp packets. Opps, I feel stupid.

Fixed:
nat on $ext_if proto {tcp, udp, icmp, esp} from $priv_net to any -> $ext_if/32

andy

elmore
February 4th, 2004, 00:16
damn answered your own question before I even got a chance to reply

p-chan
February 4th, 2004, 18:13
Heh, some times when you print it out on paper and lookat it from another angle the answer becomes very obvious. And chasing down suggestions on google that lead further and further from the actual problem didn't help either. Seems most people don't specify protocols in their nat rules so they don't run into this problem.

Here's the finally pf.conf after i condenced down the overlaping rules and google suggestions that I didn't end up needing.

# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

#### Macros: define common values, so they can be referenced and changed easily.

wifi_if = "wi0"
int_if = "dc0"
dmz_if = "fxp0"
ext_if = "dc1"

priv_net = "192.168.0.0/24"
wifi_net = "192.168.1.0/24"
dmz_net = "192.168.2.0/24"

#### Tables: similar to macros, but more flexible for many addresses.

NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

#### Options: tune the behavior of pf, default values are given.

#### Normalization: reassemble fragments and resolve or reduce traffic ambiguities.

scrub in all

#### Queueing: rule-based bandwidth control.

#### Translation: specify how addresses are to be mapped or redirected.

nat on $ext_if proto {tcp, udp, icmp, esp} from $priv_net to any -> $ext_if/32

# rdr bt connections
rdr pass on $ext_if proto {tcp, udp} from any to $ext_if port 6881:6999 -> 192.168.0.11 port 6881:*

#### Filtering: the implicit first two rules are

# Loopback
pass in quick on lo0 all
pass out quick on lo0 all

# Wireless Interface rules
block in quick on $wifi_if all
block out quick on $wifi_if all

# DMZ Interface rules
block in quick on $dmz_if all
block out quick on $dmz_if all

# Internal Interface rules
pass in quick on $int_if all
pass out quick on $int_if all

# External Interface rules

# block non-routable ips
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs

# block various nmap shyte
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags P/P

# default block
block in log on $ext_if inet all
block out log on $ext_if inet all

# no inet6 for me
block quick inet6 all

# Let stuff out
pass out on $ext_if inet proto tcp all flags S/SA modulate state
pass out on $ext_if inet proto {udp, icmp, esp} all keep state

andy

suresh
May 23rd, 2005, 08:19
Hopefully you will be able to help me with the similar vpn problem . Contivity VPN client on windows 2k going through OpenBSD 3.6 PF/NAT

I have three workstations behind the firewall. When I use VPN on one machine to connect to the remote site, I am able to connect fine. When I use the second machine to connect to the remote site using the VPN client, the VPN client fails in the last stage of establishing the connection. It gives me a message "Checking for banner text from x.x.x.x" and then disconnects.

I tried the rulesets from both "elmore" and "p-chan"... Am I missing something, please advise.