Novell VPN Client behind OpenBSD Firewall - BSD

This is a discussion on Novell VPN Client behind OpenBSD Firewall - BSD ; Hello everyone, I have a problem with the Novell BorderManager VPN Client. I can connect with Cisco Clients, Checkpoint Clients etc. - no problem. So, the Novell Readme says, that the following Ports & Protocols are needed: - TCP port ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Novell VPN Client behind OpenBSD Firewall

  1. Novell VPN Client behind OpenBSD Firewall

    Hello everyone,

    I have a problem with the Novell BorderManager VPN Client. I can
    connect with Cisco Clients, Checkpoint Clients etc. - no problem.
    So, the Novell Readme says, that the following Ports & Protocols are
    needed:

    - TCP port 353
    - UDP port 353
    - UDP port 2010
    - UDP Port 500
    - UDP Port 4500
    - IP protocol ID 57
    - IP protocol ID 50
    - IP protocol ID 51

    I tried it with many pf.conf's, the last one was this:

    ext_if="xl2"
    int_if="fxp0"

    ext_ip="xxx.xxx.xxx.xxx"
    int_ip="xxx.xxx.xxx.xxx"
    server="xxx.xxx.xxx.xxx"
    client="xxx.xxx.xxx.xxx"
    vpn_proto="proto { tcp, udp, icmp, 50, 51 }"

    set block-policy return

    nat on $ext_if proto { tcp, udp } from $client to $server port = 353 ->
    $ext_ip port 353
    nat on $ext_if proto udp from $client to $server port = 2010 -> $ext_ip
    port 2010
    nat on $ext_if proto udp from $client to $server port = 500 -> $ext_ip
    port 500
    nat on $ext_if proto 57 from $client to $server -> $ext_ip

    nat on $ext_if $vpn_proto from $client to $server -> $ext_ip
    static-port

    pass in log-all on { $ext_if, $int_if } proto 57 from any to any
    pass in log-all on $int_if $vpn_proto from $client to $server keep
    state
    pass in log-all on $ext_if $vpn_proto from $server to any keep state


    Any hints? I think it has something to do with protocol 57 (SKIP).

    The Novell Client works fine behind other routers with NAT, even Linux
    iptables.
    The worst case would be to switch back to iptables, but I want to keep
    OpenBSD...

    Has anybody any hints?

    Thanks in advance, Christian


  2. Re: Novell VPN Client behind OpenBSD Firewall

    alt-f4@cschwede.de writes:

    > pass in log-all on { $ext_if, $int_if } proto 57 from any to any
    > pass in log-all on $int_if $vpn_proto from $client to $server keep
    > state
    > pass in log-all on $ext_if $vpn_proto from $server to any keep state


    If what you want is to let proto 57 and $vpn_proto trough, you may
    want to try

    pass log-all proto 57 from any to any
    pass log-all $vpn_proto from $client to $server keep state
    pass log-all $vpn_proto from $server to any keep state

    - that is, cut out all except what you are sure you need.

    'in' means 'to the machine which runs pf', while from $foo to $bar
    doesn't guarantee passage to anywhere in particular, it just denotes
    source and destination addresses. With a default deny policy, if $bar is
    on the other side $ext_if, and you only pass on $int_if, the packet will
    only get as far as your pf machine.
    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

  3. Re: Novell VPN Client behind OpenBSD Firewall

    Thanks Peter for your answer. I'll try your solution, but I even tried
    it with a global pass all - no success et al.
    I read somewhere that the SKIP protocol is not NAT'able - so, if there
    is anyone who successfully runs the BorderManager client behind an
    openbsd box, please help me.

    BTW: the pflog shows no blocked packets - so i think it's something
    with NAT. Is there any possibility to connect to the server without
    NAT? For example, redirecting the client to an external IP?


+ Reply to Thread