Packet Filtering
When a Client Gateway is internet facing, it is typical to have firewall software
running as well. It is important to remember that you must make allowances for
IPSEC Client related traffic.
For example ..
A gateway is configured using our example racoon configuration file. Firewall
rules have been added to allow Clients to communicate with the gateway.
# for pf
pass in proto udp from any to self port 500
pass in proto udp from any to self port 4500
pass in proto esp from any to self
# for ip tables
iptables -A INPUT -j ACCEPT -p udp --dport 500
iptables -A INPUT -j ACCEPT -p udp --dport 4500
iptables -A INPUT -j ACCEPT -p esp
A client connects, authenticates and establishes an IPSEC SA to allow traffic
between 10.99.99.1 and 10.100.100.0/24. When it attempts to ping 10.100.100.1,
it gets no reply. One likely cause is that there is no firewall rule to allow for this
traffic to pass. Rules need to be added which allow the Client address network to
communicate with the private network.
# for pf
pass quick from 10.99.99.0/24 to 10.100.100.0/24
pass quick from 10.100.100.0/24 to 10.99.99.0/24
# for ip tables
iptables -A FORWARD -j ACCEPT -s 10.99.99.0/24 -d 10.100.100.0/24
iptables -A FORWARD -j ACCEPT -s 10.100.100.0/24 -d 10.99.99.0/24
NOTE : These are just example rules to illustrate the point. An actual rule set
could probably be written with much tighter security in mind.
Packet Fragmentation
Some firewalls require special handling for packet fragments. For instance, using
pf or ipf on a BSD Gateway would require special features to be used to handle
packet fragments in certain situations.
For pf, it may be necessary to use the 'scrub all fragment reassemble' option to
handle VPN related traffic.
For ipf, it may be necessary to use the 'keep frags' modifier when specifying
packet filtering rules for VPN related traffic.