Packet Filtering
When a Client Gateway is Internet facing, it is typical to have firewall software running as well. It is important to remember that you must make allowances for IPsec Client related traffic.
For example, suppose a gateway is configured using our example racoon configuration file. Firewall rules must be added to allow clients to communicate with the gateway.
pf example:
pass in proto udp from any to self port 500 pass in proto udp from any to self port 4500 pass in proto esp from any to self |
ip tables example:
iptables -A INPUT -j ACCEPT -p udp --dport 500 iptables -A INPUT -j ACCEPT -p udp --dport 4500 iptables -A INPUT -j ACCEPT -p esp |
When a client connects, it will establish an IPsec SA to allow traffic from itself to the private network. Suppose that a connected client was assigned a private address of 10.99.99.1 and attempts to communicate with the 10.100.100.0/24 network. If the client can transmit packets but receives no response, one likely cause is that the gateway firewall is blocking the traffic. A rule could be added which allows the client address range to communicate with the private network.
pf example:
pass quick from 10.99.99.0/24 to 10.100.100.0/24 pass quick from 10.100.100.0/24 to 10.99.99.0/24 |
ip tables example:
iptables -A FORWARD -j ACCEPT -s 10.99.99.0/24 -d 10.100.100.0/24 iptables -A FORWARD -j ACCEPT -s 10.100.100.0/24 -d 10.99.99.0/24 |
NOTE : These are just example rules to illustrate the point. An actual rule set should be written with much tighter security in mind.
Packet Fragmentation
Some firewalls require special handling for packet fragments. For instance, using pf or ipf on a BSD Gateway would require special features to be used to handle packet fragments in certain situations.
For pf, it may be necessary to use the 'scrub all fragment reassemble' option to handle VPN related traffic.
For ipf, it may be necessary to use the 'keep frags' modifier when specifying packet filtering rules for VPN related traffic.